Legal Documents
Legal Documents
TERMS AND CONDITIONS
This agreement is for the provision of CloudCall’s communication software and associated services (Agreement) and incorporates these Standard Terms and Conditions, together with the Order, the Key Terms and any Schedule(s) agreed between CloudCall and the Customer.
1.1 As used in the Agreement, the following terms shall have the following meanings:
| Affiliate | means in respect of either the Customer or CloudCall any of its holding companies and any such subsidiary of that holding company; |
| Applicable Law | means the laws of the country or, for the USA, the State in which CloudCall is located and any international laws which are applicable generally to products similar to the Product, and excludes any laws which affect the Customer but not CloudCall; |
| Charges | means the Initial Charges and Recurring Charges specified on the Order including any other fixed and/or variable charges, fees, charges, expenses or monies that may become due under this Agreement; |
| Cloud Computing Platform | means any or all of Amazon Web Services, Google Cloud Platform and Microsoft Azure, as the case may be depending on the Product(s) ordered; |
| Confidential Information | means any information disclosed by one party to this Agreement (or its Affiliate) (Disclosing Party) to the other party to this Agreement (or its Affiliate) (Receiving Party), or which is received by or comes into the possession or knowledge of the Receiving Party under or in connection with this Agreement and which relates to the Disclosing Party (or its Affiliate), which is marked confidential, which the Receiving Party knows or reasonably ought to know is confidential, or which by its nature is confidential, including (i) all Customer Data, which is the Confidential Information of the Customer; and (ii) the Products and their associated documentation and know-how, which are the Confidential Information of CloudCall, but excluding any information that: (i) is or becomes generally available to the public other than as a result of its disclosure by the Receiving Party or its agents, officers or employees in breach of: (1) this Agreement; or (2) any other undertaking of confidentiality which is addressed to the Disclosing Party and which the Receiving Party is aware of or reasonably ought to be aware of, and provided that any compilation of otherwise public information in a form not publicly known will nevertheless be treated as Confidential Information; (ii) was lawfully in the possession of the Receiving Party before the information was disclosed to it by the Disclosing Party; (iii) the parties agree in writing is not confidential or may be disclosed; or (iv) is developed by or for the Receiving Party independently of the information disclosed by the Disclosing Party; |
| Customer Data | means any data whether Personal Data, content, files, documents and/or any other type of information which the Customer uploads to, stores on or processes (or causes to be uploaded to, stored on or processed) using the Product; |
| Data Processing Addendum | means the data privacy schedule(s) containing the terms and conditions for data privacy processing and transfer requirements including transfer risk assessments as set out in the Data Privacy section of the Legal Documents page of CloudCall’s website with web address: https://cloudcall.com/legal-documents#data-privacy and as updated from time to time; |
| End User | means an individual end user of the Product authorized by the Customer to access and Use the Product and/or Services via this Agreement but strictly within the limit agreed between the Customer and CloudCall; |
| Intellectual Property Rights | means any patents, rights to inventions, copyright, moral rights, trade marks, business names and domain names, rights in get-up, goodwill and the right to sue for passing off, rights in designs, rights in computer software, database rights, rights to use, and protect the confidentiality of, confidential information (including know-how and trade secrets) and all other intellectual property rights, in each case whether registered or unregistered and including all applications and rights to apply for and be granted, renewals or extensions of, and rights to claim priority from, such rights and all similar or equivalent rights or forms of protection which subsist or will subsist now or in the future in any part of the world; |
| Products | means the CloudCall products (including any software, user interface, platform and any other features) provided to the Customer under this Agreement and as specified on the Order; |
| Product Description | means, in respect of a Product, the description of those Products including any service levels as set out in the Product Description page of the Legal Documents section of CloudCall’s website, with web address: https://cloudcall.com/legal-documents/#pd-schedule and as updated from time to time; |
| Services | means in respect of a Product, any onboarding support as set out in the Onboarding Schedule, and any technical support for that Product in accordance with the Product Description and any other associated services; |
| Taxes | means any and all taxes, including without limitation, sales, use, service, occupation, personal property, value-added and excise taxes and any other fees, assessments or taxes which may be assessed or levied by any taxing authority for Customer’s use of the Products and/or Services, excluding any taxes based on CloudCall’s income, in any relevant jurisdiction; and |
| Use | means, in respect of the Product, only those acts of storage, loading, execution and display as are reasonably necessary to the Customer’s enjoyment of the relevant Product in accordance with this Agreement. |
1.2 In this Agreement, the words “in particular”, “such as”, “include” or “including” do not denote an exhaustive list, and references to laws are references to those laws as amended, re-enacted and/or replaced from time to time.
1.3 Should there be any conflict the order of precedence shall be as follows: the Data Processing Addendum shall take precedence, followed by the Order, any Special Terms, Key Terms, the Standard Terms and Conditions, followed and any statements, schedules or addendums.
2.1 The Product shall conform in all material respects to the Product Description.
2.2 Subject to the Customer’s payment of the Charges and compliance with the terms of this Agreement, CloudCall grants to the Customer a non-exclusive, non-assignable license to Use the software (as part of the Product) from the Effective Date until the termination of this Agreement, strictly on the basis of the restrictions set out in clause 2.3).
2.3 The Customer shall not (and will not permit or encourage any other person to):
a) reverse engineer, disassemble, decompile or translate any Product, or otherwise attempt to derive the source code of any Product, except to the extent explicitly allowed under applicable law which cannot be waived by contracting parties;
b) resell, lease, rent, license, sublicense, transfer, assign, or redistribute or otherwise make the benefit of the Products available to any third party (provided that this clause 2.3 b) will not prevent the Customer making the benefit of the Products available to its Affiliates in furtherance of its group internal business purposes) unless permitted to do so in the relevant Order, and provided always that the Customer may not use any Product to compete, directly or indirectly, with CloudCall;
c) use the Product via a form of machine dialler designed to dial large volumes of numbers in contravention of local regulations;
d) create any derivative works of the Product;
e) use or deal with any Product in any way which is unlawful in any relevant jurisdiction, or to process any Customer Data which is unlawful, defamatory, harassing, obscene;
f) exceed the maximum quantity of subscriptions for End Users purchased by the Customer in any Order by, for example, permitting shared access. Without prejudice to CloudCall’s other rights or remedies, CloudCall shall be entitled to invoice the Customer for the additional Monthly Service Fees applicable to such excess access and/or use (and the Customer shall be required to pay the amounts specified in such invoices to CloudCall in full) in accordance with Clause 4 (Charges) of the Standard Terms and Conditions;
g) be permitted to decrease the quantity of End User subscriptions purchased by the Customer from CloudCall from time to time, as specified in any applicable Order(s), during the relevant Initial Term(s).
h) use the Product for sending telemarketing, promotional or informational messages without having first procured the consents, rights and/or licenses which are required by applicable laws and/or regulations to send such messages;
i) use the Product for the purposes of distributing (or collecting) messaging spam, bulk unsolicited messages, or any other form of unsolicited electronic communications distributed on a bulk basis;
j) use the Product for the transmission of misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value;
k) trunk or forward calls, messages, extensions or numbers associated with the Services to a private branch exchange or key system or to other numbers that can process multiple calls simultaneously; or
l) use the Product in any way which is misleading, manipulative, deceptive or fraudulent. For example, the Customer (and each End User) shall use the local presence feature (or equivalent) of the Services solely for the purposes of providing the recipient of a call (or attempted call) with a local call back number, and shall not use such feature for the purposes of misleading, deceiving or manipulating the recipient of a call (or attempted call) in respect of the location from which the call (or attempted call) originated or otherwise.
2.4 CloudCall expressly reserves the right to incorporate into the Product and/or Services any updates, modifications, extensions or improvements to the Product it may create (in the course of providing any Services or otherwise) and to make such modifications, extensions and/or improvements generally available throughout the term of this Agreement.
2.5 Customer acknowledges that any data or information that CloudCall may collect or that arises as a result of the Customer’s use of the Product that is not Customer Data shall be the exclusive property of CloudCall to use, without limitation, for monitoring the performance and developing improvements of the Product and/or Services. Additionally, the Customer grants CloudCall a perpetual, royalty free license to use any anonymized Customer Data for the purposes of developing improvements to the Products and/or Services.
3.1 CloudCall will use its reasonable efforts to provide the Services in accordance with the Product Description and an onboarding statement of work that will be agreed between the parties in a ‘kick off’ meeting on or shortly after the Effective Date (Onboarding SOW). The Customer shall act in good faith and with good cooperation to ensure all staff attend any training and perform any acts necessary in order to assist CloudCall deliver the Services. The Customer further acknowledges and agrees that the support element of the Services are subject to change from time to time, provided that if CloudCall changes the Services in a way which results in a significantly lower level of Services for the relevant Product, then CloudCall shall notify the Customer and the Customer shall be entitled to terminate the Agreement as per clause 13.
3.2 If the Product and/or Services do not conform with the Product Description, CloudCall will use reasonable endeavours to correct any such non-conformance or provide the Customer with an alternative means of accomplishing the desired performance. Such correction or substitution (or alternatively any service credits) constitutes the Customer’s sole and exclusive remedy for any such non-conformance.
3.3 CloudCall may assist the Customer on an ad hoc basis with any advice, opinion, statements or additional services (Statements) with the intention of helping the Customer (where requested by the Customer) to achieve the full benefit of the Products. The Customer agrees that any such Statements are made by CloudCall in goodwill and under the terms and conditions of this Agreement (including CloudCall’s limitation of liability set out in clause 10) and as such the Customer shall not place any reliance on any such Statements.
3.4 CloudCall may provide the Customer with certain items of hardware upon agreement with the Customer. Any provision shall be as per the terms and conditions set out in a Hardware Schedule to this Agreement.
4.1 Unless otherwise specified in the Order, CloudCall will invoice the Customer as follows:
a) for the Initial Charges including any charges for integration to a Customer’s existing technology infrastructure, on or shortly after the Billing Commencement Date or (if earlier) on or shortly after “Go Live” (as defined within the Onboarding SOW) for the relevant Product. Further Initial Charges may be due for any subsequent Orders made under this Agreement depending on the Products ordered;
b) Recurring Charges shall be calculated in accordance with the terms of the Order. The Recurring Charges may be subject to variation should the Customer exceed their Call Plan Restrictions and/or any other out of scope use of the Product as set out in the Product Description and shall be invoiced by CloudCall in arrears;
4.2 Where a Product purchased by the Customer from CloudCall is described as “unlimited”, the Customer’s use of the Products (including without limitation the use of the call recording functionality and Messaging Services) under that call plan or messaging plan shall not be unreasonable and shall not exceed five times (5x) the average monthly usage of the relevant Service (or part thereof) (“Fair Usage Limits”). In the event that the Customer uses the Products and/or Messaging Services in excess of the Fair Usage Limits, the Charges for such excess use payable by the Customer to CloudCall shall be calculated using the call rates and messaging rates as set out in the ‘Pay As You Go’ rates. CloudCall shall be entitled to invoice the Customer for any such Charges associated with such excess use (and the Customer shall be required to pay the amounts specified in such invoices to CloudCall in full).
4.3 CloudCall reserves the right to suspend the Services either in part or in whole in the event that the Customer has outstanding invoices for 1 (one) month or more, such suspension only to be exercised upon written notice from CloudCall to the Customer, allowing the Customer a reasonable opportunity to settle the outstanding sums.
4.4 The Customer shall ensure that the maximum number of End Users accessing the Product and/or Services shall not exceed the quantity of End Users which the Customer has purchased from CloudCall as specified on the Order or any amendment thereto. Without prejudice to CloudCall’s other rights or remedies, in the event that the Customer’s number of End Users exceeds the quantity of End Users purchased by the Customer from CloudCall, CloudCall shall be entitled to invoice the Customer for the additional Charges applicable to such excess and the Customer shall be required to pay the amounts specified in such invoices to CloudCall in full.
4.5 All Charges are exclusive of Taxes. Where Taxes are payable in respect of any Charges, CloudCall will add such Taxes to its invoice at the appropriate rate, and the Customer will pay such Taxes together with such Charges.
4.6 If the Customer has not paid an invoice by its due date for payment as set out in the relevant invoice, CloudCall may charge interest, from the date on which payment was due until the actual date of payment (whether before or after judgment), at a rate of 3% per month or the highest rate allowed by applicable law, whichever is higher, accruing daily. The Customer will be responsible for paying the accrued interest together with the overdue amount.
4.7 The Customer will pay all amounts due to CloudCall under this Agreement in full and without any set-off, counterclaim, deduction or withholding.
4.8 With effect from the start of any annual anniversary of the Effective Date, the Charges shall increase to reflect any percentage increase in the Consumer Price Index (CPI) from the US Bureau of Labor Statistics (where CloudCall Inc is the signatory to the Agreement) or as published by the UK Office for National Statistics (where CloudCall Ltd is the signatory to the Agreement) or as published by the Australian Bureau of Statistics (where CloudCall Pty Ltd is the signatory to this Agreement). Such increase is measured over the previous 12 months of the Agreement. CloudCall shall give the Customer not less than 45 days’ prior written notice of any such inflationary increase to the Charges.
4.9 Notwithstanding clause 4.8, CloudCall may, with effect from the start of any Renewal Term, adjust the Charges for any reason by providing not less than 45 days’ prior written notice to the Customer. For clarity, any adjustment to the Charges is without prejudice to the Customer’s right to elect not to renew pursuant to clause 13.1.
5.1 Each of CloudCall and the Customer represents and warrants that (1) it has all necessary consents, approvals and authorities to enter into and perform this Agreement; and (2) it shall perform all its obligations under this Agreement in compliance with all Applicable Law.
5.2 The Customer represents and warrants that the Customer Data does not contain any material which infringes the Intellectual Property Rights or other rights of any party.
6.1 CloudCall will provide to the Customer such information about CloudCall’s security policies and practices as the Customer may reasonably request.
6.2 CloudCall shall provide the Customer with access to a Cloud Computing Platform. It is the Customer’s responsibility to ensure that it will appropriately secure its access credentials, and CloudCall will have no liability to the Customer for (i) any actual or suspected security breach in respect of the Cloud Computing Platforms not directly caused by CloudCall’s breach of this Agreement, (ii) or declining to follow any instructions that CloudCall believes could damage the integrity of the security of the Cloud Computing Platform or any activities undertaken by CloudCall in accordance with Customer’s written instructions.
6.3 If Customer grants CloudCall access to any of Customer’s systems, software, interfaces or other such like technological infrastructure to enable CloudCall to assist Customer in any general queries, Customer shall remain fully liable and solely responsible for all aspects of such systems and CloudCall’s assistance is provided in goodwill only.
7.1 Both CloudCall and the Customer agree to comply with their respective obligations under the Data Processing Addendum.
8.1 Nothing in this Agreement will change the ownership of any of the Intellectual Property Rights of either party. In particular, the Customer acknowledges that the Products and CloudCall’s know-how and expertise in performing the Services are the valuable property and/or Confidential Information of CloudCall and/or its licensors, and that it may not make any use of them other than in order to receive the benefit of the Products.
8.2 As between CloudCall and Customer, any Intellectual Property Rights in and/or changes to, modifications to, or derivative works of the Products shall automatically vest in and become the exclusive property of CloudCall.
8.3CloudCall shall defend and indemnify the Customer from and against all losses, damages, liabilities, fines, costs, or reasonable expenses arising out of or resulting from any third-party claim against the Customer that the Customer’s use of a Product as permitted by CloudCall under this Agreement infringes the Intellectual Property Rights of that third party, save that CloudCall shall have no liability under this clause 8.3 where:
a) the Customer has combined the Product with any other product and/or software not provided by CloudCall;
b) the Customer has modified or altered a Product not under the instructions of CloudCall and/or such modification was undertaken by any person other than CloudCall; or
c) the Customer has failed to apply applicable updates or upgrades, if any claim would not apply to such update or upgrade.
8.4 The Customer acknowledges that CloudCall has no control over the nature or content of the Customer Data, and the Customer will therefore indemnify CloudCall against any claim brought by a third party against CloudCall on the basis that Customer Data infringes a third party’s rights (including its Intellectual Property Rights).
8.5 Customer may, but is not obligated to, provide or submit any suggestions, feedback, comments, ideas, or other information relating to the Products (including the Software) or modifications or enhancements thereto (the “Customer Input”). Any Customer Input is provided on a non-confidential basis regardless of any suggestion to the contrary in any Customer communication, and Customer hereby grants CloudCall a nonexclusive, worldwide, royalty-free, perpetual, irrevocable, sublicensable, transferable right and license to exploit such Customer Input (directly or through third parties) in any manner without compensation or liability to Customer for any purpose whatsoever, including, but not limited to, developing, manufacturing, enhancing, improving, promoting, and marketing CloudCall’s products and services and any Intellectual Property Rights that may arise as a result of this clause 8.5 shall automatically vest in and become the exclusive and sole property of CloudCall.
9.1 Both during the Term of this Agreement and for three years after its termination or expiry, the Receiving Party will keep the Disclosing Party’s Confidential Information confidential and, except with the prior written consent of the Disclosing Party, will:
a) not use or exploit the Confidential Information in any way except for the purpose of exercising its rights and performing its obligations under this Agreement;
b) not disclose or negligently or willfully make available the Confidential Information in whole or in part to any third party, except as permitted by this Agreement; and
c) apply the same security measures and degree of care to the Confidential Information as the Receiving Party applies to its own confidential information (and which will in any event be no less stringent than the measures required by this Agreement.
9.2 The Receiving Party may disclose the Disclosing Party’s Confidential Information to those of its sub-contractors and its and their agents, officers, employees and professional advisers who need to know it in connection with this Agreement (each, a “ Permitted Disclosee”), provided that:
a) it informs each Permitted Disclosee of the confidential nature of the Confidential Information before disclosure; and
b) it has entered into a confidentiality agreement with each such Permitted Disclosee that no less onerous as set forth in this clause 9 as if it were the Receiving Party,
and the Receiving Party will be liable for the failure of any Permitted Disclosee to comply with this clause 9.
9.3 The Receiving Party may disclose Confidential Information:
a) to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority with jurisdiction over the Receiving Party, or by a court of competent jurisdiction, provided in each case that, to the extent it is legally permitted to do so, it gives the Disclosing Party as much advance warning of such disclosure as possible and takes into account the reasonable requests of the Disclosing Party in relation to the content of that disclosure; and
b) in the course of a proper due diligence process in furtherance of a bona fide acquisition, disposal, investment or similar corporate transaction (whether actual or proposed), to interested parties subject to obligations of confidentiality with respect to the Confidential Information which are no less onerous than those set out in this clause 9.
10.1 This clause 10 sets out CloudCall’s entire liability to the Customer under or in connection with this Agreement.
10.2 Nothing in this agreement limits or excludes CloudCall’s liability for:
a) death or personal injury caused by its negligence;
b) fraud or fraudulent misrepresentation;
c) any other liability that cannot be excluded or limited by law.
10.3 Subject to clause 10.2, CloudCall will not have any liability to the Customer under or in connection with this Agreement (whether in contract, tort, negligence or otherwise and whether CloudCall has been advised of the possibility of such damage and notwithstanding any failure of essential purpose of any limited remedy) for any (1) loss of profits or account of profits, loss of sales or business, loss of agreements or contracts, loss of opportunity, loss of anticipated savings, loss of damage or goodwill, or (2) any incidental, special or consequential damages, or any other indirect or consequential losses howsoever caused.
10.4 Subject to clauses 10.2 and 10.3, CloudCall’s total liability to the Customer under or in connection with any other matter relating to or arising from this Agreement, including any schedules, statements of work, data processing addendum or orders made thereunder will be limited in the aggregate to an amount equal to the Charges paid or payable by the Customer in the 12 months preceding the date that the claim arises.
11.1 If a third party asserts a claim against the Customer and the Customer wishes to bring a claim against CloudCall under any indemnity provided in this Agreement (an “Indemnity Claim“), then CloudCall is only liable under that indemnity if:
a) the Customer promptly notifies CloudCall of such Indemnity Claim (and in any event within an amount of time sufficient to permit CloudCall to take appropriate action within the applicable time limits) and takes no action to admit, settle or otherwise dispose of such Indemnity Claim without CloudCall’s prior written consent;
b) CloudCall retains sole control of the defense of such Indemnity Claim and all negotiations for its settlement or compromise (including free choice of counsel, other professional advisers and experts); and
c) the Customer provides all reasonable assistance requested by CloudCall or its professional advisers.
12.1 A “Force Majeure Event” is any event or circumstance not within a party’s reasonable control that directly prevents or materially hinders that party from performing its obligations under this Agreement, including (in the case of CloudCall) failures or outages at upstream or infrastructure suppliers (including but not limited to relevant Cloud Computing Platforms).
12.2 Provided it has complied with clause 12.3, if a party experiences a Force Majeure Event (the “Affected Party”), the Affected Party will not be in breach of this Agreement or otherwise liable for any such failure or delay in the performance of such obligations. The time for performance of such obligations shall be extended accordingly, and the corresponding obligations of the other party will be suspended, and its time for performance of such obligations extended, to the same extent as those of the Affected Party.
12.3 If the Affected Party experiences a Force Majeure Event for more than 30 days, the party not affected by the Force Majeure Event may terminate this agreement by written notice to the Affected Party.
13.1 This Agreement will be legally binding and effective from the Effective Date until the end of the Initial Term, whereupon it will renew automatically for 12 month periods (each such period, a “Renewal Term”) unless either party gives not less than 45 days’ prior written notice to the other, such notice to expire no later than the expiry date of the Initial Term or current Renewal Term, that it does not wish to renew this Agreement beyond the Initial Term or any Renewal Term.
13.2 Either party may terminate this Agreement (and CloudCall may suspend access to the Product and/or the provision of the Services) immediately if:
a) the other party fails to pay any amount due under this Agreement on the due date for payment and remains in default 30 days or more after being notified of such failure of payment;
b) the other party commits a material breach of this Agreement which, if capable of cure, has not been cured within 10 days of receipt of notice of breach by the non-breaching party;
c) in the case of the Customer’s breach of clause 2.3 and/or any breach that represents an security threat or a threat to CloudCall’s core Product without prior notice and without liability to the Customer;
d) the other party (i) if the other party becomes insolvent, (ii) makes an assignment for the benefit of creditors, (iii) files or has filed against it a petition in bankruptcy or seeking reorganization, (iv) has a receiver appointed, or (v) institutes any proceedings for the liquidation or winding up; provided, however, that, in the case any of the foregoing is involuntary, the other party may only terminate this Agreement if such party shall fail to have such petition or proceeding dismissed within sixty (60) days.
13.3 Upon termination of this Agreement and/or suspension of the Services, Customer shall, at CloudCall’s option, immediately return or destroy any and all materials, documents, information (including Confidential Information) or any other property of CloudCall.
13.4 Upon termination of this Agreement CloudCall may destroy or otherwise dispose of any of the Customer Data in its possession relating to that Service unless CloudCall receives, no later than 30 days after the effective date of termination, a written request for the delivery to the Customer of the Customer Data. CloudCall shall use reasonable commercial endeavours to deliver the Customer Data to the Customer within 30 days of its receipt of such a written request, provided that the Customer has, at that time, paid all fees and Charges.
14.1 Customer agrees that they will use reasonable endeavours to, upon a reasonable request from CloudCall:
a) act as a reference for CloudCall when requested given reasonable notice;
b) allow CloudCall to use the Customer’s logo on its website and marketing material; and
c) work with CloudCall to develop a case study to be published within the Initial Term.
14.2 CloudCall may update these Standard Terms and Conditions from time to time, solely to reflect changes in law or industry regulation. For any changes required due to changes in best practice, or changes in how CloudCall’s business operates CloudCall shall notify the Customer of any proposed changes and should Customer object to any such changes they will by entitled by written notice to CloudCall to be served within thirty (30) days from the date of notice to terminate this Agreement.
14.3 Customer shall maintain a list of permitted End Users and provide this to CloudCall within 5 days of receiving a request from CloudCall and Customer shall permit CloudCall to audit the Customer’s (and/or End Users’) access to and/or use of the Product from time to time in order to determine whether or not the Customer has complied with the Agreement.
14.4 This Agreement (and the documents referred to in it) constitutes the entire agreement between the parties, and supersedes any previous agreement, relating to the subject matter of this Agreement.
14.5 Each party acknowledges that it has not relied on or been induced to enter this Agreement by a representation, warranty or undertaking (whether contractual or otherwise) other than those expressly set out in this Agreement.
14.6 A waiver of any right under this Agreement is only effective if it is in writing.
14.7 A notice under or in connection with this Agreement: must be in writing; must be in the English language; and must be delivered personally or sent by email or first class mail to the party due to receive the notice at its principal office (in the case of CloudCall) or to the address specified in the Order (in the case of the Customer).
14.8 A person who is not a party to this Agreement shall have no rights hereunder as a third party beneficiary to enforce any term of this Agreement.
14.9 This Agreement shall be governed by, and construed in accordance with, the Applicable Laws and the parties irrevocably submit to the exclusive jurisdiction of the local courts within that Applicable Law jurisdiction.
14.10 Nothing contained in this Agreement will create or be construed to create any partnership, joint venture, agency, franchise, sales representative, employment or fiduciary relationship between the parties.
14.11 Neither party may assign, novate or otherwise deal, in whole or in part, this Agreement without the prior written consent of the other party, such consent not to be unreasonably withheld, delayed or conditioned. Any purported assignment, sale, transfer, delegation or other disposition of this Agreement, except as permitted herein, shall be null and void.
14.12 If any provision (or part of a provision) of this Agreement is found to be invalid, unenforceable or illegal, the other provisions (or parts of any provisions) shall remain in force.
14.13 Any Order and/or statement of work which incorporates these Standard Term and Conditions by reference may be executed in two or more counterparts, each of which will be deemed an original and all of which together will constitute one and the same instrument.
PRODUCT DESCRIPTION AND SLAS SCHEDULE
CloudCall’s software enables telephone and ‘voice over internet’ calls integrated with our Customer’s CRM system.
Some Product features are only available with certain CRM providers, the details of the features for each Customer can be found in the Customer’s Onboarding SOW. The fundamental terms and conditions for calling and messaging services are outlined in this Product Description Schedule. This Product Description and SLAs Schedule is subject to updates from time to time at CloudCall’s sole discretion.
| 10 DLC Rules | means all and any rules, standards, guidance, terms, conditions, obligations, policies, procedures, laws, and/or regulations which arise out of or in connection with 10 DLC and as further explained on the following website: https://support.bandwidth.com/hc/en-us/articles/4423826434583-10DLC-FAQ |
| Calling Service | means the Service that enables the Customer to make or receive voice calls |
| Customer Systems | means the systems, software, hardware, interfaces, data centres, networks, network connections, internet connections and/or telecommunications links (excluding those which are provided by CloudCall) owned by, or licensed (or provided) to, the Customer which are accessed and/or used at any time in connection with the Services |
| In-Call Consent Service | means the feature in a CloudCall Product that prompts an End User to request the call recipient’s permissions for the call to be recorded and to ensure that the response to such requests are captured |
| Messaging Service | means the functionality of the Product that enables messages to be sent via the CloudCall platform |
| Onboarding SOW | means the statement of work agreed between the parties outlining the Customer’s requirements, the specifications and steps required to complete the set up of the CloudCall Products and Services; |
| Registered Location | means the most recent written information provided by the Customer (and/or any End User) to CloudCall that identifies the physical location where each individual telephone line shall be utilised by the Customer. The Customer (and/or any End User) shall only be permitted to register and/or update one Registered Location at a time for each individual telephone line; |
| Set-Up | means the process of on-boarding a Customer whereby CloudCall provide the services set out in the Onboarding SOW which may include without limitation, account provisioning, network discovery, configuration, training, and 10 DLC registration; |
| Supplier Materials | means any documents, hardware or products generally that are provided by a third party to Customer via CloudCall as part of the Services; |
| VoIP | means voice over internet protocol |
1.1 The Customer (and/or any End User) may use the Product from the Registered Location in accordance with the restrictions in the Order(s) and as listed in paragraph 5 below and/or call plan(s) purchased by the Customer from CloudCall from time to time (“Call Plan Restrictions”). The Customer acknowledges and agrees that Users that are not located in the Registered Location shall not have access to location identification by the emergency services. It is the Customer’s responsibility to ensure that these such Users inform emergency services of their actual physical location. The Customer further acknowledges and agrees that the Call Plan Restrictions may include, without limitation: the telecommunication provider(s) via which any End User may make or receive voice calls as part of the call plan(s), the territory (or territories), number range(s) and number type(s) which any End User may make voice calls to or receive voice calls from as part of the call plan(s), and reasonable usage limits on the Customer’s (and the End Users’) use of the call recording functionality pursuant to Paragraph 1.8 of this Schedule.
1.2 INTERRUPTIONS: The Customer will remain responsible for all Charges during any and all periods of interruption to (or problems with) the Services arising out of or in connection with any of the reasons listed below in this paragraph 1.2 of this Schedule. The Customer acknowledges and agrees that CloudCall shall have no liability to the Customer for interruptions to (or problems with) the Services from time to time arising out of or in connection with:
1.2.1 Any general faults or interruptions (including without limitation all and any faults, outages and interruptions arising out of or in connection with third party cyber attacks, malware attacks, phishing attacks, denial of service attacks, hacking attacks, any other technologically harmful materials (e.g. viruses) or the Customer’s (and/or any End User’s) firewall, internet service provider or broadband provider, or a third party intentionally or inadvertently blocking or impacting any ports over which the Service is provided), maintenance, fixes or updates to the Services; and/or
1.2.2 Any interruptions to (or problems with) the internet or interruptions to (or problems with) the Customer Systems, including without limitation, interruptions to (or poor signal quality of) any mobile data networks, Wi-Fi connections or networks, or other systems or networks used by the Customer (and/or any End User) in connection with any mobile app services (or other Services) provided by CloudCall to the Customer; and/orAny failure(s) by the Customer (and/or any End User) to comply with these Terms of Service and/or any Orders; and/or
1.2.3 Any other interruptions to (or problems with) the Services which are not caused by CloudCall.
1.3 PERFORMANCE: Subject to paragraph 1.2 of this Schedule, CloudCall guarantees monthly service average uptimes for its Product as follows (the “Uptime Service Levels”):
1.3.1 99.99% for core internet-protocol network/network edge availability (the degree to which CloudCall edge-router IP addresses may be reached via internet protocol from relevant service endpoints);
1.3.2 99.9% for CloudCall call service availability; and
1.3.3 99.5% for CloudCall API availability.
1.4 CloudCall uses a third-party monitoring company to monitor Uptime Service Levels.
1.5 Subject to Paragraph 1.2 of this Schedule, in the event that CloudCall falls short of its Uptime Service Levels, the Customer may, being its sole and exclusive remedy for such failure(s), request a service credit (to the extent such credit is specified in the table below). To claim a service credit, the Customer must contact support@cloudcall.com within 14 days of the end of the month in which the failure(s) occurred. Any service credit claim by the Customer shall be subject to verification by CloudCall. Service credits are listed below, and are a percentage deducted from the monthly Product Charges:
| % Short of the Relevant Uptime Service Level | Service Credit |
| ≤ 0.1% | 10% |
| ≤ 0.2% | 20% |
| ≤ 0.3% | 30% |
| ≤ 0.4% | 40% |
| ≤ 0.5% | 50% |
| ≤ 0.6% | 60% |
| ≤ 0.7% | 70% |
| ≤ 0.8% | 80% |
| ≤ 0.9% | 90% |
| ≤ 1.0% | 100% |
1.6 Notwithstanding Paragraphs 1.3, 1.4 and 1.5 of this Schedule, the Customer must still pay CloudCall in full for all and any Charges for calls successfully made or received via the Services and/or messages successfully sent or received via the Services (because such Charges shall not be included in any service credit calculations).
1.7 CALLING COSTS: The provision of the Product by CloudCall is subject to the Customer paying to CloudCall the full Charges applicable to the call plan(s) that the Customer has purchased from CloudCall from time to time in accordance with the Agreement. In the event that the Customer (and/or any End User) makes or receives any call(s) using the Product which are in excess of (and/or in breach of) the Call Plan Restrictions (or the Customer (and/or any End User) makes or receives any call(s) using the Product on a pay-as-you-go basis or without the Customer having first purchased any call plan(s) from CloudCall which have since been made available by CloudCall for the Customer to make use of) the Charges for such call(s) payable by the Customer to CloudCall shall be calculated using the Call Rate(s).
1.8 CALL RECORDINGS:
1.8.1 The Customer may use the Product to record calls which an End User makes and/or receives via the Product, provided that, (1) such functionality is available as part of the functionality of the Product purchased by the Customer in the Order, (2) the Customer’s use of the call recording functionality does not exceed the reasonable usage limits on such use which CloudCall may notify to the Customer from time to time, and (3) the Customer shall be solely responsible for ensuring it does so (and that its End Users do so) in compliance with all applicable laws and regulations (“Call Recordings”). For the avoidance of doubt, and subject to Clause 10 (Liability) of the Standard Terms and Conditions, CloudCall shall have no obligation(s), responsibility, and/or liability whatsoever to ensure that the Customer’s use of the Product for the purposes of creating (or otherwise in connection with) Call Recordings is compliant with applicable laws and regulations.
1.8.2 The Customer may request to receive a digital copy of any of its Call Recordings, provided that: (1) it has (and its End Users have) made such recording(s) in accordance with Paragraph 1.8.1 of this Schedule, (2) provision of such copy shall be subject to the Customer’s payment in full (and in advance) of any fees which CloudCall may charge for the provision of such recording(s), and (3) provision of such copy shall be subject to any legal, regulatory, contractual and/or other restrictions which apply to CloudCall’s disclosure of such recording(s). Subject to the foregoing, the Customer shall have the ability to download or delete a digital copy of any singular Call Recording one at a time (limited to one Call Recording per download or deletion) via the CloudCall Portal (“Singular Call Recording Download/Deletion”). There shall not be any additional charge or fee associated with any such Singular Call Recording Download/Deletion.
1.8.3 CloudCall shall use reasonable efforts to store Call Recordings securely for the following periods: (1) 12 months from and including the date of the Call Recording where the call was made or received via the “Bundle 1” and/or “Bundle 2”. a “VoIP Only” (or equivalent) User Subscription; (2) 18 months from and including the date of the Call Recording where the call was made or received via a “Bundle 3” unless: otherwise stated by CloudCall, or required to do otherwise by applicable law or regulation) (“Standard Storage Period”).
1.9 IN-CALL CONSENT:
1.9.1 CloudCall will provide the Customer with an In-Call Consent Service feature to the extent the same is included in the relevant Order and User Subscription. Such feature may be used to prompt End Users to request call recipient permissions and to ensure that responses to such requests are captured. The Customer agrees that CloudCall is only providing this In-Call Consent Service feature to assist with the Customer’s gaining and tracking of permissions and not for any legal or compliance purposes. CloudCall does not give any warranty, representation, statement, guarantee, promise or otherwise that its provision of the In-Call Consent Service feature will assist the Customer to comply with any applicable laws or regulations.
1.9.2 The Customer agrees that should CloudCall provide a feature that prompts an End User to obtain explicit consent from the recipient of a call for any Call Recording (the “In-Call Consent Service”) the provision of such feature shall not constitute legal advice or guidance and that CloudCall expressly recommends that the Customer seeks its own independent legal advice (at its own choice and cost) if it wishes to use the In-Call Consent Service feature for the purposes of complying with any laws or regulations. The Customer further agrees that the Customer shall be solely responsible for (and CloudCall shall have no responsibility for) generating (and using) any consent or permission request scripts (or other scripts).
1.10 EMERGENCY CALLS:
1.10.1 The Product may include a functionality that permits an End User to make emergency calls to emergency services which are located in the United Kingdom, or the United States of America, or Australia (which will depend on the Registered Location applicable to each call).
1.10.2 The Customer acknowledges and agrees that:
a) CloudCall shall provide an online portal that is accessible via security credentials and shall contain details relating to the Customer’s account with CloudCall (the “CloudCall Portal”). The Customer must ensure that each Registered Location shall be kept up to date at all times throughout the Term within the Customer’s account on the CloudCall Portal to the extent necessary to ensure it is (and remains) current and accurate at all times throughout the Term. A Registered Location may be updated by the Customer or the End User via the CloudCall Portal at any time. If the Customer fails to ensure that each Registered Location is kept up to date at all times throughout the Term in accordance with this Paragraph 1.10 of this Schedule, then the emergency service calls made by End Users may be sent to an incorrect location and they may not be able to provide emergency assistance to the End Users who made any such calls;
b) Any changes to a Registered Location may take up to 48 hours to be updated in the database and therefore available to the public safety answering point (or equivalent, dependent on jurisdiction) (the “PSAP”) or appropriate local emergency authority (or equivalent, dependent on jurisdiction) (the “Local Emergency Authority”) that receives the call, where available;
c) The Product is designed for an End User to make emergency services calls only to emergency services which are located in the United Kingdom, or the United States of America, or Australia (which will depend on the Registered Location applicable to each call) and, subject to the foregoing, only to emergency services which are located in the local country or territory of the Registered Location applicable to each call;
d) CloudCall has no control over whether, or the manner in which, emergency services calls by any End User using the Product are answered or addressed by any PSAP or Local Emergency Authority or national emergency call centre (or equivalent, dependent on jurisdiction) or whether routing of such calls is incorrect or yields an erroneous result;
e) If the Customer’s (or an End User’s) internet connection (and/or any internet connection on which any Product relies on in whole or in part) is not working, is disconnected, is suspended, is disrupted, is interrupted, is congested, or there is a power loss, power cut, power disruption, power interruption and/or power failure , or the End User’s VoIP device (or other device) otherwise malfunctions, or provision of the Product to the Customer is suspended by CloudCall pursuant to any breach by the Customer of this Agreement, or there is any other outage, disconnection, disruption, or interruption it may not be possible for an End User to make an emergency services call (and/or access emergency services) using the Product or such emergency services call may be delayed. There may be a greater possibility of network congestion and/or reduced speed in the routing of an emergency services call made by an End User via the Product in comparison to traditional emergency services dialing via traditional public telephone networks;
f) The Customer’s (or an End User’s) firewall, internet service provider or broadband provider, or a third party may intentionally or inadvertently block the ports over which the Product is provided or otherwise impact the functionality of the Product. If the Customer (or an End User) suspects this, they must notify CloudCall in writing immediately. During the period that the ports are being blocked or the Product is otherwise impacted, it may not be possible for an End User to make an emergency services call (and/or access emergency services) using the Product or such emergency services call may be delayed;
g) Following any failure, delay or other erroneous or incorrect result in respect of an emergency services call attempted by an End User via the Product (which has arisen out of or in connection with any of the reasons described above in Paragraph 1.10 of this Schedule), or otherwise), the End User may need to reset or reconfigure its VoIP device (or other device) prior to using the Product for making any further emergency services calls;
h) The Customer must (and it is their sole responsibility to) ensure that the End Users do not block their telephone number on their handsets and/or devices when using the Product to call and/or dial the emergency services;
i) The Customer hereby authorises (and will ensure that each End User also hereby authorises) CloudCall to disclose End User’s names, telephone numbers and addresses and Registered Locations to third parties who are involved with CloudCall’s provision of emergency service dialing to such End Users, including, without limitation, call routers, call centres, local emergency centres, PSAPs, Local Emergency Authorities and national emergency call centres (or equivalent, dependent on jurisdiction);
j) The Customer must inform their End Users (and ensure that the Customer and the End Users remain aware at all times) of the capabilities and limitations of the Services which exist from time to time in respect of emergency services calls (and/or access to or contact with the emergency services);
k) If the Customer is not comfortable with the limitations of the Product which exist from time to time in respect of emergency services calls (and/or access to or contact with the emergency services), the Customer must ensure that their End Users have an alternative method to use to access and/or contact the emergency services; and
l) CloudCall shall only be obliged to provide the Customer (and/or any End User) with access to and/or contact with the emergency services via the Services strictly to the extent that CloudCall is required to do so by applicable laws and regulations.
1.10.3 An End User’s emergency services call using the Product is subject to the capabilities of the emergency authority of the Registered Location applicable to that call. The End User may access Enhanced Emergency Services or Basic Emergency Services, depending on the capability of the PSAP or Local Emergency Authority that receives the call. There are significant differences betweens Enhanced Emergency Service and Basic Emergency Service:
a) With “Enhanced Emergency Service” when the End User makes an emergency services call using the Product, the End User’s telephone number (or “call back number”) and, in most cases, Registered Location (the “End User Information”) are automatically and simultaneously sent to the PSAP or Local Emergency Authority assigned to the End User’s Registered Location, and so the emergency operators have access to the information they need to send help and call the End User back if necessary. Not all PSAPs or Local Emergency Authorities are capable of receiving location information from the Product;
b) With “Basic Emergency Service” when the End User makes an emergency services call using the Products, the PSAP or Local Emergency Authority assigned to the End User’s Registered Location is not equipped to receive, capture, or retain the End User Information, and so the End User must instead orally provide such End User Information to the emergency operator. The emergency operator may not be able to call the End User back or dispatch help to the End User until the End User provides their End User Information to the emergency operator; and
c) Certain individual telephone lines utilised by End Users to make emergency services calls via the Products will not have access to either Enhanced Emergency Service or Basic Emergency Service. If the relevant individual telephone line utilised by the End User to make emergency services calls via the Products does not have access to Enhanced Emergency Service or Basic Emergency Service, that call will be sent to the national emergency call centre (or equivalent, dependent on jurisdiction). In that case, the call will not be directed to a PSAP or Local Emergency Authority who may be better equipped to provide assistance. A trained agent at the national emergency call centre (or equivalent, dependent on jurisdiction) may ask for the name, telephone number and location of the End User, and then contact the PSAP or Local Emergency Authority for such End User in order to send help. Examples of situations where emergency services calls may be sent to the national emergency call centre (or equivalent, dependent on jurisdiction) include: when there is a problem validating a End User’s Registered Location, when the End User is identified with a Registered Location outside of the country in which the emergency service is based, or when the End User is located in an area which is not covered by the landline emergency services calling network. In addition, regardless of the Registered Location of an individual telephone line utilised by a End User to make emergency services calls via the Products, if a End User uses certain portable devices, their emergency services calls will be routed to the national emergency call centre (or equivalent, dependent on jurisdiction). Emergency operators may not receive a End User’s telephone number or Registered Location when an emergency services call is routed to the national emergency call centre (or equivalent, dependent on jurisdiction).
1.10.4 It is the Customer’s sole responsibility to notify all End Users and potential End Users (including, but not limited to, End Users, employees, guests, residents and third parties present at each Registered Location) that:
a) Enhanced Emergency Service differs from Basic Emergency Service, as described above; and
b) It is the Customer’s responsibility to understand which of its Users will have access to the Enhanced Emergency Service functionality. The Customer must notify and inform each User of the potential unavailability of emergency services dialing on or near any device being used to access the CloudCall Product, where that device may not have the Enhanced Emergency Services functionality.
2.1 The Customer (and/or any End User) may use the Messaging Service in accordance with the restrictions and limits in the relevant Order(s) and/or messaging plan(s) purchased by the Customer from CloudCall from time to time (“Messaging Plan Restrictions”). The Customer acknowledges and agrees that the Messaging Plan Restrictions may include, without limitation: the telecommunication provider(s) via which any End User may send or receive messages as part of the messaging plan(s) and the territory (or territories), number range(s) and number type(s) which any End User may send messages to or receive messages from as part of the messaging plan(s).
2.2 The Messaging Service is subject to the Customer paying to CloudCall the full Charges applicable to the messaging plan(s) that the Customer has purchased from CloudCall from time to time in accordance with the Agreement. In the event that the Customer (and/or any an End User) sends or receives any message(s) using the Product which are in excess of (and/or in breach of) the Messaging Plan Restrictions (or the Customer (and/or any End User) sends or receives any message(s) using the Product on a pay-as-you-go basis or without the Customer having first purchased any messaging plan(s) from CloudCall which have since been made available by CloudCall for the Customer to make use of) the Charges for such message(s) payable by the Customer to CloudCall shall be calculated using the Messaging Rates. For the purposes of calculating the Charges due and payable by the Customer to CloudCall in respect of the quantity of messages sent and/or received by the Customer (and/or any End Users) using the Services: (1) any message which contains solely GSM-7 characters (or equivalent) shall be subject to a per message limit of 160 (one hundred and sixty) characters, and (2) any message which contains one or more UCS-2 characters (or equivalent) shall be subject to a per message limit of 70 (seventy) characters (“Message Character Limits”). The Message Character Limits may be changed by CloudCall from time to time.
2.3 The Customer shall ensure that its use of and/or access to the Messaging Services is strictly in accordance with the 10 DLC Rules (to the extent that the 10 DLC Rules are applicable to such use and/or access). CloudCall guarantees Messaging Service uptimes on equivalent terms as it does for its Products.
For any issues related to the Services, the Customer may contact: support@cloudcall.com and/or the relevant telephone number(s) listed on CloudCall’s website from time to time. Response within three Business Hours. “Business Hours” means: (1) 08:00 to 22:00 UK time excluding weekends and UK public holidays and bank holidays.
4.1 Customer shall:
4.1.1 Ensure that its End Users comply with the Agreement. The Customer shall remain fully liable to CloudCall for all acts and omissions of any of its End Users;
4.1.2 Cooperate with CloudCall in all matters relating to the Product and Services, including, but not limited to, any actions reasonably necessary to permit CloudCall to deliver the Services, Set-Up and/or any Hardware;
4.1.3 Securely store and maintain any materials owned by CloudCall and lent to the Customer in good condition at Customer’s premises and at Customer’s risk and expense until returned to CloudCall;
4.1.4 Ensure that all codes, usernames, log in details, and passwords associated with the Customer’s access to the CloudCall Portal are kept confidential and secure;
4.1.5 Ensure that its software, hardware, networks and systems comply with the specifications provided by CloudCall from time to time;
4.1.6 Take all steps (at its sole cost) necessary to complete the Set-Up with any required third parties for example (without limitation): procuring the Customer’s current and/or previous suppliers to promptly unblock, transfer, connect or disconnect ports and/or telephone numbers as necessary to allow CloudCall to complete the Set-Up;
4.1.7 Take all steps (at its sole cost) necessary to procure and maintain all interconnections and transfers and arrangements between CloudCall and Customer’s supplier(s) to the extent required for CloudCall to deliver the Services in accordance with the Agreement (“Interconnection Arrangements”). Such Interconnection Arrangements may be required where CloudCall and the Customer have agreed to an arrangement, in respect of the Services, whereby the Customer retains its existing telecommunications supplier but that supplier transfers the Customer’s VoIP calls through CloudCall’s IP address(es) and/or networks so that CloudCall can deliver the software and/or reporting element of the Services for the Customer in connection with those calls. The Customer shall be solely responsible for procuring, managing and maintaining any such Interconnection Arrangements and CloudCall shall have no liability for anything arising out of or in connection with such Interconnection Arrangements (and these Terms of Service and any Order(s) shall be completely separate to, and unaffected by, all Interconnection Arrangements). If any Interconnection Arrangements cease, fail, change, or contain any error or omission, these Terms of Service and any Order(s) shall continue and remain unaffected and unchanged;
4.1.8 Be solely responsible for procuring, maintaining, keeping secure, and preventing unauthorised, unlawful and/or fraudulent access to and use of, the Customer Systems. In the event that CloudCall carry out any work, changes or set-up in relation to the Customer Systems (e.g. helping with router set-up to enable the Customer to use the Services), the Customer shall continue to be solely responsible for procuring, maintaining, keeping secure, and preventing unauthorised, unlawful and/or fraudulent access to and use of, the Customer Systems. The Customer must, at all times throughout the Term, keep the Customer Systems secure, strictly in accordance with the Security Requirements; and
4.1.9 Ensure that each of its End Users cooperates with any reasonable requests provided by CloudCall to the Customer and/or the End Users via the CloudCall Portal from time to time to the extent such requests are required actions by essential CloudCall suppliers.
4.2 If the Customer (and/or any End User) plays music whilst a caller is on hold in connection with the Products (and/or plays music otherwise in connection with the Products), the Customer shall be solely responsible for ensuring the Customer holds the required license to use the relevant music for these purposes.
4.3 If the Customer (and/or any End User) commences its use of the Product without first attending (and cooperating and complying with) all training required by CloudCall as determined as part of Set-Up and/or the Onboarding SOW (“On-Boarding Failure”), CloudCall shall not be liable for any loss or damage arising out of or in connection with any call quality problems, connection reliability problems or any other failures in respect of the Product which arise out of or in connection with the On-Boarding Failure.
4.4 CloudCall may recommend that the Customer (and/or any End User) should not use Wi-Fi for or in connection with its access to and/or use of the Services (“Wi-Fi Warning”). If CloudCall issues a Wi-Fi Warning and the Customer (and/or any End User) still proceeds to use Wi-Fi for or in connection with its access to and/or use of the Services (“Wi-Fi Failure”), CloudCall shall not be liable for any loss or damage arising out of or in connection with any call quality problems, connection reliability problems or other failures in respect of the Services which arise out of or in connection with the Wi-Fi Failure.
5.1 Upon the launch of CloudCall o1 the following is a list of blocked countries and restricted premium rated services that Customers will not have access to. Most of the countries that are blocked are countries that are not included in the current pricing plan and those that are on a government sanctioned list.
5.2 Sanctioned Country List (and therefore blocked):
5.2.1 Cuba.
5.2.2 Crimea.
5.2.3 North Korea.
5.2.4 Sudan.
5.2.5 Iran.
5.2.6 Syria.
5.3 Premium Rated Services:
5.3.1 TV voting (e.g. Dancing with the Stars, The X Factor)
5.3.2 Quizzes and competitions (e.g. The Late Late Show, radio competitions)
5.3.3 Charity donations
5.3.4 Digital content (e.g. music, videos, wallpapers, games)
5.3.5 Psychic or other entertainment services
5.3.6 Business information (e.g. some technical support lines)
5.3.7 Adult lines
5.4 For a list of further premium numbers that are blocked by default on the CloudCall o1 platform shall include but not limited to those outlined here: https://en.wikipedia.org/wiki/Premium-rate_telephone_number
5.5 Currently, there are countries that are not available upon initial launch of CloudCall o1, but which may be added for later versions. The current list of countries that CloudCall o1 supports upon initial launch are as follows:
5.5.1 Switzerland, United Kingdom, Australia, Canada, France, Germany, India, Ireland, Mexico, Netherlands, New Zealand, Puerto Rico, Spain, Sweden, United States, and Virgin Islands (includes mobile, but excludes premium numbers).
5.6 Countries that are not currently listed above are blocked by default. Customers should notify their respective CloudCall Account Managers if they have specific countries not listed above as they may be available via an add-on feature.
This section contains important provisions, including those regarding 9-1-1 service
Description: VoIP services allow you to make or receive telephone calls over the Internet to or from the public switched telephone network. The nature of VoIP telephone calls, while appearing similar to traditional telephone calling services, create unique limitations and circumstances, and you acknowledge and agree that differences exist between traditional telephone service and VoIP telephone services, including the lack of traditional 9-1-1 emergency services.
9-1-1 service: Because of the unique nature of VoIP telephone calls, emergency calls to 9-1-1 through your VoIP service will be handled differently than traditional phone service. The following provisions describe the differences and limitations of 9-1-1 emergency calls, and you hereby acknowledge and understand the differences between traditional 9-1-1 service and VoIP calls with respect to 9-1-1 calls placed to emergency services from your account as described below.
Placing 9-1-1 calls: When you make a 9-1-1 emergency call, the VoIP service will attempt to automatically route your 9-1-1 call through a third-party service provider to the Public Safety Answering Point (“PSAP”) corresponding to your address of record on your account. However, due to the limitations of the VoIP telephone services, your 9-1-1 call may be routed to a different location than that which would be used for traditional 9-1-1 dialling. For example, your call may be forwarded to a third-party specialized call centre that handles emergency calls. This call centre is different from the PSAP that would answer a traditional 9-1-1 call which has automatically generated your address information, and consequently, you may be required to provide your name, address, and telephone number to the call centre.
How your information is provided: The VoIP service will attempt to automatically provide the PSAP dispatcher or emergency service operator with the name, address and telephone number associated with your account. However, for technical reasons, the dispatcher receiving the call may not be able to capture or retain your name, phone number or physical location. Therefore, when making a 9-1-1 emergency call, you must immediately inform the dispatcher of your location (or the location of the emergency, if different). If you are unable to speak, the dispatcher may not be able to locate you if your location information is not up to date.
Correctness of information: You are responsible for providing, maintaining, and updating correct contact information (including name, residential address and telephone number) with your account. If you do not correctly identify the actual location where you are located, or if your account information has recently changed or has otherwise not been updated, 9-1-1 calls may be misdirected to an incorrect emergency response site.
Disconnections: You must not disconnect the 9-1-1 emergency call until told to do so by the dispatcher, as the dispatcher may not have your number or contact information. If you are inadvertently disconnected, you must call back immediately.
Connection time: For technical reasons, including network congestion, it is possible that a 9-1-1 emergency call will produce a busy signal or will take longer to connect when compared with traditional 9-1-1 calls.
9-1-1 calls may not function: For technical reasons, the functionality of 9-1-1 VoIP emergency calls may cease or be curtailed in various circumstances, including but not limited to:
Failure of service or your service access device – if your system access equipment fails or is not configured correctly, or if your VoIP service is not functioning correctly for any reason, including power outages, VoIP service outage, suspension or disconnection of your service due to billing issues, network or Internet congestion, or network or Internet outage in the event of a power, network or Internet outage; you may need to reset or reconfigure the system access equipment before being able to use the VoIP service, including for 9-1-1 emergency calls; and changing locations – if you move your system access equipment to a location other than that described in your account information or otherwise on record with (company name).
Alternate services: If you are not comfortable with the limitations of 9-1-1 emergency calls, (company name) recommends that you terminate the VoIP services or consider an alternate means for accessing traditional 9-1-1 emergency services.
Inform other users: You are responsible for notifying, and you agree to notify, any user or potential users of your VoIP services of the nature and limitations of 9-1-1 emergency calls on the VoIP services as described herein.
Liability: Customers are advised to review this section with respect to CloudCall’s limitations of liability.
Customer acknowledges and understands that CloudCall has limited liability for any service outage and/or inability to reach 9-1-1 services and access emergency personnel. To the extent permitted by applicable law, CloudCall and its affiliates, directors, employees, agents, service providers and underlying carriers, will not be liable for any injury, death or damage, unless caused by CloudCall’s negligence, in which case CloudCall shall not limit its liability. For any other liability whether, direct, indirect, special, consequential, incidental, economic, exemplary or punitive damages, to persons or property, arising directly or indirectly out of, or relating to the 9-1-1 service or VoIP service CloudCall shall not have any liability and you agree to indemnify and hold harmless CloudCall (and its respective directors, officers, employees, agents, service providers and underlying carriers) for any liabilities, claims, damages, losses and expenses, (including reasonable legal fees and expenses) which you may suffer or incur, arising directly or indirectly out of or relating to your ability to access 9-1-1 service or use VoIP service as result of the above-mentioned limitations or your failure to comply with the above-mentioned requirements. You agree that you shall have control over the defense and settlement of a claim, except that you will not have the right to enter into a settlement that imposes any obligation on CloudCall. You further acknowledge and understands that CloudCall has no control over how 9-1-1 calls are answered or addressed by any local emergency response centers and the national emergency calling center and that CloudCall disclaims all responsibility for the conduct of all such organizations.
DATA PRIVACY
International data transfer transfer impact assessment (TIA) – AUSTRALIA
In this document CloudCall Pty (the Australian entity of CloudCall) are the data recipients, and CloudCall Ltd (the UK entity) shall be transferring the data and are conducting the enquiries in order to conduct the risk assessment of the transfer.
I. Data protection regime in recipient country
Please answer the questions below in relation to the jurisdiction(s) identified at section 1. D.
| Question | Information supplied by data recipient | Information from your own enquiries, including source of information |
| A. Data Protection Laws – Australia | ||
| A1. Source of information relating to third country laws | Information either supplied by data recipient or from own enquiries. | |
| A2: Does the third country have a dedicated data protection law? | ☒ Yes ☐ No If yes, identify the data protection law | Australia regulates data privacy and protection through a mix of federal, state and territory laws. The federal Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”) contained in the Privacy Act are the main regulations for data protection. These apply to private sector entities with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian Capital Territory Government agencies. Most States and Territories in Australia also have their own supplementary data protection legislation. The Privacy Act contains 13 Australian Privacy Principles (APPs) including: Open and transparent management of personal informationAnonymity and pseudonymityCollection of solicited personal informationDealing with unsolicited personal informationNotification of the collection of personal informationUse or disclosure of personal informationDirect marketingCross-border disclosure of personal informationAdoption, use or disclosure of government related identifiersQuality of personal informationSecurity of personal informationAccess to personal informationCorrection of personal information |
| A3: Is the data protection law in the third country based on any international instruments on privacy or data protection? | ☐ Yes ☒ No | N/A |
| A4: Is there an independent data protection authority in the third country? | ☒ Yes ☐ No If yes, identify the data protection authority | There is an independent data protection authority in Australia. The Australian Information Commissioner, under the Office of the Australian Information Commissioner (“OAIC”), is the national data protection regulator responsible for enforcing compliance with the Privacy Act. |
| A5: Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How are such breaches handled? | ☒ Yes ☐ No If yes, provide further information | Breaches of data protection law in Australia can lead to administrative sanctions or orders. The OAIC is responsible for the enforcement of the Privacy Act and can investigate any “interferences with the privacy of an individual” (i.e. any breaches of the Australian Privacy Principles). After investigating a complaint, the Commissioner may dismiss the complaint or find the complaint substantiated and make declarations that the organisation rectify its conduct or that the organisation redress any loss or damage suffered by the individual. The sanction issued by the OAIC will depend upon the nature of the breach, the seriousness of the breach, the data disclosed and any other relevant factors. Sanctions can include non-pecuniary loss such as awards for stress and/or humiliation. In late 2023, the maximum penalties for serious or repeated interferences with the privacy of individuals were increased significantly by to the greater of (i) AUD50M ((roughly £27.5m), (ii) three times the benefit of obtained through the misuse of information , or (iii) (where the benefit cannot be determined) 30% of adjusted turnover in the relevant period. There are no criminal penalties for breaches of data protection law in Australia. |
| A6: Does the data protection law cover all commercial sectors and types of organisations or are some areas of activity outside its scope? | The Privacy Act applies to private sector entities (including body corporates, partnerships, trusts, and unincorporated associations) with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian Capital Territory Government agencies. The Privacy Act currently contains an exemption for “employee records”, such that any records directly relating to personal information which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act. However, there are some further carve-outs to this (for example, the exemption does not apply to contractors or unsuccessful job applicants), and it is anticipated that the employee records exemption will be removed from the Privacy Act as a result of the ongoing review of the Privacy Act. | |
| B. Obligations on Data Recipient | ||
| B1: Is the data recipient subject to the data protection law(s) described above? | ☒ Yes ☐ No | |
| B2: What are the main obligations imposed on the data recipient under the above data protection law(s)? | Please see A2 above. The following obligations will apply to the data recipient: Compliance with the Australian Privacy Principles. The data recipient will be required to comply with the Australian Privacy Principles (APPs) whenever handling personal information;Notification of Data Breaches. The data recipient may be required to notify affected individuals and/or the Office of the Australian Information Commissioner (OAIC) in case of a data breach that is likely to result in serious harm (Notifiable Data Breaches scheme); andOverseas transfers. The data recipient must tale all reasonable steps to protect personal information when it is transferred to overseas entities. | |
| B3: Are there any specific restrictions on the disclosure of personal data by the data recipient to third parties? | ☒ Yes ☐ No If yes, summarise the main restrictions | Unless certain limited exemptions under the Privacy Act apply, personal data may only be disclosed by the data recipient to third-party to an organisation outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the personal information. The disclosing / transferring entity will generally remain liable for any act(s) done or omissions by that overseas recipient that would, if done by the disclosing organization in Australia, constitute a breach of the APPs. |
| C. Data Subject Rights | ||
| C1: Do data subject have the right to access their personal data? | ☒ Yes ☐ No If yes, date whether there are any limitations to this right | Data subjects in Australia do have the right to access their personal data. Organisations are required to provide individuals with access to their personal information held by the organisation upon an individual’s request. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an organisation. Under certain circumstances, the organisation may limit the extent to which it provides an individual with access or correction rights, including in emergency situations, specified business imperatives, and law enforcement or other public interests. |
| C2: Do data subjects have any other substantive rights? | ☒ Yes ☐ No If yes, summarise main data subject rights | data subjects in Australia have several other substantive rights under the Privacy Act: Right to Anonymity or Pseudonymity: Organisations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with the organisation, unless it is impractical to do so or the organisation is required or authorised by law to deal with identified individuals.Right to Consent: Organisations may not collect personal information unless the information is reasonably necessary for one or more of its business functions or activities. Additionally, organisations are prohibited from collecting sensitive information from an individual unless certain limited requirements are met, including one or more of the following: the individual has consented to the collection and the collection of the sensitive information is reasonably necessary for one or more of the entity’s functions or activities.Right to Opt-Out of Direct Marketing: Organisations must not use or disclose personal information about an individual unless one or more specific conditions apply, including the individual’s consent. In the case of use and disclosure for the purpose of direct marketing, organisations are required to ensure that each direct marketing communication provides a simple means by which the individual can opt out.Right to Complaint: At or before the time organisations collect personal information, or as soon as practicable afterwards, they must take reasonable steps to provide individuals with notice of how they may make a complaint about a breach of the Australian Privacy Principles and how the organisation will deal with such complaint.Right of correction: permits individuals to submit a correction request to an organisation which holds personal information about that individual. There is no right of erasure (“right to be forgotten”) under Australia’s privacy laws at this time. |
| C3: What remedies are available to data subjects in the event that their rights are breached? | As above, if a data subject’s rights are breached in Australia, the Australian Information Commissioner has the authority to investigate the complaint. After investigating a complaint, the Commissioner may dismiss the complaint or find the complaint substantiated and make declarations that the organisation rectify its conduct or that the organisation redress any loss or damage suffered by the individual. Therefore, remedies available to data subjects in the event that their rights are breached can include rectification of the breach, compensation for any loss or damage suffered, and potentially significant penalties imposed on the organisation responsible for the breach. | |
| C4: Are these rights exercisable through the judicial system or enforced by the supervisory authority, or both? | Both | Initially, the Office of the Australian Information Commissioner (OAIC) will make the appropriate determination and if the relevant organisation does not comply with this determination, the OAIC has the authority to apply to the Federal Court or Federal Circuit Court to enforce compliance with the declaration. Individuals who have lodged complaints are also permitted to initiate proceedings in the judicial system to enforce a determination made by the OAIC. |
| D. Public Authority’s Right of Access | ||
| D1: Is there a legal framework providing for such access, when it is envisaged, that is publicly available and sufficiently clear? | ☒ Yes ☐ No | There is a legal framework in Australia that governs public authorities’ and law enforcement’s right to access personal information. The Telecommunications and Other Legislation Amendment (‘Assistance and Access’) Act 2018 (Cth) (“AA Act”) provides law enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on “Designated Communications Providers”. The AA Act allows various agencies to issue a “technical assistance notice”, which requires a provider to give assistance that is reasonable, proportionate, practicable and technically feasible. They can also issue a “technical capability notice”, which requires a provider to build new capabilities to assist the agency. The provider must consult with the agency prior to issuing the notice, and must be satisfied that the notice is reasonable, proportionate, practicable and technically feasible. In addition, the agencies can make “technical assistance requests”, to give foreign and domestic providers and device manufacturers a legal basis to provide voluntary assistance to various Australian intelligence organisations and interception agencies relating to issues of national interest, national security and law enforcement. Other legislative frameworks that regulate public authorities’ and law enforcement right to access personal information include: Surveillance Devices Act 2004 (Cth) (SD Act): sets limitations on the use, communication and publication of information acquired through surveillance devices and access to data stored in computers.Australian Security Intelligence Organisation Act 1979 (Cth) (ASIO Act): establishes the Australian Security Intelligence Organisation, which is tasked with collecting information and generating intelligence. This enables the organisation to inform the Government about activities or situations that could pose a threat to national security in Australia. Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act): controls access to content and data in telecommunications within Australia. The TIA Act makes it illegal for anyone to intercept or access private telecommunications without the consent of the parties involved in the communication. Intelligence Services Act 2001. |
| D2: Is the data recipient subject to surveillance laws of the third country? | ☒ Yes ☐ No If yes, move to the next question | |
| D4: Does publicly available information show that there is a legal prohibition on the data recipient of informing about a specific request for access to data received and wide restrictions on providing general information about requests for access to data received or the absence of requests received? | ☐ Yes ☒ No | |
| D5: Has the data recipient confirmed whether or not it has received requests for access to data from Australian public authorities in the past, and that it is not prohibited from providing information about such requests or their absence? If it has received prior requests, please see question below asking for numbers of requests received. | ☐ Yes ☒ No | No requests have been received from Australian public authorities. |
| D6: Is the data recipient subject to any other country’s surveillance laws? | ☐ Yes ☒ No ☐ Not known ☐ We are under a legal obligation not to answer this question If yes, identify the relevant surveillance regime | |
| D7: What personal data can public authorities require the data recipient to provide and in what circumstances, e.g. under: any applicable security surveillance regime?in the course of an investigation? Does this include the type of personal data that will be transferred to the data recipient? | Under the ASIO Act, the Australian Security Intelligence Organisation can access data through a search warrant, a computer access warrant, or a surveillance device warrant. This is only for matters related to national security.The TOLA Act allows law enforcement and intelligence agencies to compel an organisation to provide assistance in accessing data through compulsory notices. This is typically used alongside a search warrant or other power that authorises access to data.The TIA Act allows law enforcement, anti-corruption and national security agencies to apply for warrants to intercept communications when investigating serious crimes and threats to national security.The SD Act governs the use of surveillance devices by government agencies, including state and territory law enforcement agencies when they are using surveillance devices under Commonwealth laws.The Crimes Act authorises the Australian Federal Police (AFP) to apply for and execute search warrants under specified circumstances. The warrant only authorises the AFP to seize data or information which is relevant to the investigation of the criminal offence to which the warrant relates. All these activities are regulated by the Office of the Commonwealth Ombudsman, which oversees agency compliance with legislation in the use of these powers. | |
| D8: What limitations do data protection and privacy laws impose on such requests by public authorities? | Public authorities will be considered as “agencies” and therefore bound by the Privacy Act. Data protection and privacy law in Australia impose limitations on requests for information by Public Authorities, for example requests for information must be necessary and proportionate and the Public Authorities must have a lawful basis for their request. The Personal Data collected must only be used for the specific purpose for which it was collected. This means that public authorities cannot use personal data collected for one purpose for a different purpose without obtaining further consent or legal authority. The AA Act requires “agencies” (and therefore Public Authorities) to consult with the provider prior to issuing a notice for assistance or access to data, and the agency must be satisfied that the notice is reasonable, proportionate, practicable, and technically feasible. | |
| D9: What rights and remedies are available to a data subject in the event that a public authority requests access to their personal data? | If an individual believes that their privacy has been breached by a government agency or a company, they can lodge a complaint with the OAIC. The OAIC is responsible for investigating and resolving privacy complaints, and has the power to take enforcement measures against the agency if it finds a breach of the Privacy Act. As discussed above, enforcement measures include compensation. If an individual believes that a public authority agency has behaved in a way that is unlawful, inappropriate, or contradicts human rights, they have the right to lodge a complaint with the Inspector-General of Intelligence and Security (IGIS). Additional reporting requirements add to transparency (the Assistance and Access Act 2018): The public will have visibility of the use of the new powers through annual reporting requirements. The Minister is required to publish a written report every financial year that sets out the number of technical assistance notices and technical capability notices. Providers may produce transparency reports disclosing the number of notices received in a six month period. Providers may also apply for conditional disclosure exemptions to reveal the nature of assistance they have provided. Civil remedies—unlawful interception or communication (s.107A TIA Act): Injunctive relief & Punitive damages are available in case of unlawful interception. | |
| D10: Can these rights and remedies be exercised before an independent judiciary? | ☒ Yes ☐ No | Review by the courts, experts and arbitration: Affected people and companies have an avenue to challenge a decision to issue a notice. Judicial review by the courts is available under the Judiciary Act 1903. Administrative Appeals Tribunal (AAT): The AAT is an independent tribunal that has the authority to review certain decisions made under the Privacy Act. If a person is dissatisfied with a decision made by the OAIC or another government agency, they may apply to the AAT for a review. |
| E. Practices of Public Authorities | ||
| E1: Does the legislation in the third country formally meet EU standards (i.e. there are reasonable and proportionate safeguards on public authority access to data) but manifestly not applied/complied with in practice? | ☒ Yes ☐ No | The legislative frameworks outlined above, from our perspective, provide reasonable and proportionate safeguards for public authority and law enforcement access to data. These laws include mechanisms to ensure that such access rights are exercised in a necessary and proportionate manner, and are generally applied and adhered to in practice. |
| E2: Are there practices incompatible with the SCCs commitments where relevant legislation in the third country is lacking? | ☒ Yes ☐ No | It is our view that most practices in Australia are compatible with the standard contractual clauses commitments used to ensure data protection. We believe the legal frameworks we’ve discussed cover most situations and align well with SCC obligations. |
| E3: Can the public authorities of the third country access the data without the data recipient’s knowledge or cooperation, in light of legislation, practice and reported precedents? | ☒ Yes ☐ No | Certain legislative provisions permit relevant public authorities to access personal information without the awareness or consent of the individual or organisation. In specific situations, authorities may covertly access an organisation’s systems. For instance: TIA Act, there’s no requirement to notify a data importer if their communications are being intercepted. SD Act doesn’t require data importers to be notified if a computer access warrant impacts their data or communications. ASIO Act, a warrant can be issued without giving notice to the affected data importer.The IS Act has no notice requirements for affected data importers. However, the use of these powers by public authorities is overseen by the Office of the Commonwealth Ombudsman. The Ombudsman’s office ensures that agencies comply with the law when using covert or forceful powers and conducts inspections of agency records to verify compliance. |
| E5: Can public authorities of the third country access the data through the data recipient or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents? | ☒ Yes ☐ No | The TOLA Act and TIA Act permits public authorities in Australia to access data through the data recipient or through telecommunications providers for national security purposes. However, government agencies must first obtain a warrant from a court or tribunal. The applications for these warrants must meet the stringent conditions outlined in the Act. However, there are certain situations, like emergencies, where agencies can access communications without needing a warrant. Certain authorised officers in government agencies may request that industry providers provide data as part of investigations into crime, revenue and national security matters. Officers can only seek access to data after meeting the legal criteria outlined in the Act. The Commonwealth Ombudsman, or the Inspector-General of Intelligence and Security in the case of ASIO, independently oversees these requests for data access. |
| E6: Are the four European Essential Guarantees respected in the recipient country, to ensure interferences with data protection rights through surveillance measures do not go beyond what is necessary and proportionate in a democratic society? | Tick each essential guarantee that is respected: ☒ Processing is based on clear, precise and accessible rules ☒Necessity and proportionality regarding the legitimate objectives pursued ☒ An independent oversight mechanism should exist ☒ Effective remedies are available for data subjects | In our view, the relevant access laws in Australia provide protection which is equivalent to the European Essential Guarantees. |
| E7: Has the data recipient received any request from public authorities to disclose data, in the past 12 months, two years and five years? If so: how often?what types of requests have been received?how has the data recipient responded to those requests? | None have been received for five years or more. Main telecoms partners have received requests which we have assisted with, but we have no received a request directly from a public authority. | |
| E8: Are you aware of other organisations in the data recipient’s sector receiving requests from public authorities to disclose data, in the past 12 months, two years and five years? | None for VoIP services such as CloudCall. However, we do know of telecoms providers receiving requests, that we have assisted and supported with. | |
| E9: Is there any reason to believe the type of data concerned will be of interest to the intelligence authorities in the future? | ☐ Yes ☒ No | The type of data processed relates to prospective customers and follows the sales process. |
II. Assessment result of level of protection provided in third country
International data transfer transfer impact assessment (TIA) – UNITED STATES
In this document CloudCall Inc (the US entity of CloudCall) are the data recipients, and CloudCall Ltd (the UK entity) shall be transferring the data and are conducting the enquiries in order to conduct the risk assessment of the transfer.
I. Data protection regime in recipient country
Please answer the questions below in relation to the jurisdiction(s) identified at section 1. D.
| Question | Information supplied by data recipient | Information from your own enquiries, including source of information |
| A. Data Protection Laws – United States | |||
| Source of information relating to third country laws | Information either supplied by data recipient or from own enquiries (namely reports from academic institutions, and civil society organizations (e.g. NGOs)), as indicated. | ||
| Does the third country have a dedicated data protection law? | ☐ Yes ☒ No If yes, identify the data protection law | The US federal law has adopted a sectoral approach to address privacy and data protection. There are several sector-specific federal laws, including : the Fair Credit Reporting Act 1970 (FCRA) and the Fair and Accurate Credit Transactions Act of 2003 (FACTA) protect the information collected by consumer reporting agencies, restrict the use of information relating to the creditworthiness of an individual, protect consumers against identity theft and improve the accuracy of consumers’ credit records;the US Privacy Act of 1974, which established important rights and restrictions on data held by US government agencies;the Family Educational Rights and Privacy Act of 1974 (FERPA), which protects the privacy of student education records;the Electronic Communications Privacy Act of 1986 (ECPA), which places restrictions on access to certain electronic communications by the US government when the communications are in storage or in transit;the Video Privacy Protection Act of 1988 (VPPA), which applies to videotape service providers (and has since been interpreted to also apply to certain digital video or online streaming services); the Telephone Consumer Protection Act of 1991 (TCPA), which places restrictions on telemarketing calls and the use of automatic telephone dialling systems;the Telemarketing and Consumer Fraud and Abuse Prevention Act of 1994 (TCFAPA), which protects consumers from telemarketing deception and abuse;the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which applies to health data held by covered entities or business associates, and the Health Information Technology for Economic and Clinical Health Act 2009 (HITECH), which addresses privacy, security and breach notification issues related to individual’s protected health information;the Children’s Online Privacy Protection Act of 1998 (COPPA), which imposes requirements on website platforms or online services that are directed at children under the age of 13 years;the Gramm-Leach-Bliley Act of 1999 (GLBA), which governs the protection of personal information handled by banks, insurance companies and other companies in the financial service industry – among other requirements, it requires financial institutions to be transparent about their information-sharing practices to their customers and to protect sensitive data that they hold; andthe Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM), which protects consumers from deceptive commercial emails and requires the implementation of opt-out mechanisms. As a result of the US sectoral approach, each state may enact its own laws governing privacy and data protection. As a result, privacy requirements differ from state to state, and cover different areas. Where a federal statute covers a specific topic, it may prevail over a similar state law on the same topic. There are now four state laws in force: the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)the Colorado Privacy Act the Connecticut Data Privacy Act the Virginia Consumer Data Protection Act There are eight more state laws that have been signed and are due to come into force; the Delaware Personal Data Privacy Act (in force 1 January 2025)the Indiana Consumer Data Protection Act (in force 1 January 2026) the Iowa Consumer Data Protection Act (in force 1 January 2025)the Montana Consumer Data Privacy Act (in force 1 October 2024)the Oregon Consumer Privacy Act (in force 1 July 2024)the Tennessee Information Protection Act (in force 1 July 2025)the Texas Data Privacy and Security Act (in force 1 July 2024)the Utah Consumer Privacy Act (in force 31 December 2023) Nine active comprehensive privacy bills are currently before the legislatures of 7 different states. | |
| Is the data protection law in the third country based on any international instruments on privacy or data protection? | ☐Yes ☒ No If yes, identify the international instruments | N/A | |
| Is there an independent data protection authority in the third country? | ☒ Yes ☐ No If yes, identify the data protection authority | There is no single national authority, but the Federal Trade Commission (FTC) has the authority to issue and enforce privacy regulations in certain areas of commerce. The Federal Trade Commission enforces a variety of antitrust and consumer protection laws affecting virtually every area of commerce, with some exceptions concerning banks, insurance companies, non-profits, transportation and communications common carriers, air carriers, and some other entities. The basic statute enforced by the FTC, Section 5(a) of the FTC Act (the FTC Statute), empowers the agency to challenge privacy violations by organisations whose information practices are considered “deceptive” or “unfair”. The FTC has the authority to enforce several sector-specific laws, which include the CAN-SPAM Act, COPPA, the FCRA, and the TCFAPA, among others Other regulators include agencies at the federal and state-level, as well as state consumer protection regulators (usually the state Attorneys General), may also exercise regulatory authority in relation to privacy. Examples at the federal level include: the Office of the Comptroller of the Currency, the Department of Health and Human Services, the Federal Communications Commission, the Securities and Exchange Commission, the Consumer Financial Protection Bureau and the Department of Commerce. At the state level, the recently enacted CPRA created the first agency focused on data protection in the U.S., the California Privacy Protection Agency (CPPA). The Civil Liberties Protection Officer of the Director of National Intelligence investigates complaints made under the EU-U.S. Data Privacy Framework (DPF) redress mechanism (see below). | |
| Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How are such breaches handled? | ☒ Yes ☐ No If yes, provide further information | The FTC Statute gives the FTC authority to seek relief for consumers, including injunctions and restitution, and in some instances to seek civil penalties from wrongdoers. An FTC order generally becomes final sixty days after being served. If a respondent violates a final order, the FTC can seek a civil penalty for each violation. If the FTC determines as a result of proceedings that a practice is unfair or deceptive, and issues a final cease and desist order, the FTC may obtain civil penalties from a company who may continue to be in breach. The FTC will however need to demonstrate that the company in breach had “actual knowledge that such act or practice is unfair or deceptive and is unlawful” under the FTC Statute. The usual way to achieve this is for the FTC to provide a copy or a “synopsis” of the FTC determination. All FTC investigations are non-public and may be initiated by its own volition or further to a complaint. FTC’s enforcement actions tend to conclude with a settlement agreement with companies. EO 14086 created a two-tier redress mechanism for EEA individuals under which: an EEA individual can submit a complaint to the relevant EEA Data Protection Authority (DPA)the DPA channels the complaint via the EDPBthe complaint is investigated by the Civil Liberties Protection Officer of the Director of National Intelligencethere is a right of appeal to the Data Protection Review Courtthe complainant will be told that a violation has been found and remedied or no violation has been found This redress mechanism applies irrespective of which transfer mechanism is used, so it applies if SCCs or BCRs are used to transfer personal data to the USA, as well as the DPF. | |
| Does the data protection law cover all commercial sectors and types of organisations or are some areas of activity outside its scope? | Please explain. | The federal laws are sector-specific and medium-specific, so will not apply to all types of processing activities. Legislation at the federal level primarily protects data in specific sectors, such as healthcare, education, communications and financial services or, in the case of online data collection, that of children. Key sector-specific laws include those covering financial services, healthcare, telecommunications, and education. The Gramm-Leach-Bliley Act (GLBA) 1999 governs the protection of personal data in the hands of banks, insurance companies and other companies in the financial service industry. This statute addresses “Non-Public Personal Information” (NPI), which includes any information that a financial service company collects from its customers in connection with the provision of its services. It imposes requirements on financial service industry companies for securing NPI, restricting disclosure and use of NPI and notifying customers when NPI is improperly exposed to unauthorised persons. The Fair Credit Reporting Act (FCRA), as amended by the Fair and Accurate Credit Transactions Act (FACTA), restricts use of information with a bearing on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living to determine eligibility for credit, employment or insurance. It also requires the truncation of credit card numbers on printed receipts, requires the secure destruction of certain types of personal data, and regulates the use of certain types of information received from affiliated companies for marketing purposes. In addition to financial industry laws and regulation, the major credit card companies require businesses that process, store or transmit payment card data to comply with the Payment Card Industry Data Security Standard (PCI-DSS). The Health Information Portability and Accountability Act, as amended (HIPAA) protects data held by a covered entity that concerns health status, provision of healthcare or payment for healthcare that can be linked to an individual. Its Privacy Rule regulates the collection and disclosure of such information. Its Security Rule imposes requirements for securing this data. The Telephone Consumer Protection Act (TCPA) and associated regulations regulate calls and text messages to mobile phones, and regulate calls to residential phones that are made for marketing purposes or using automated dialling systems or pre-recorded messages. The Family Educational Rights and Privacy Act (FERPA) provides students with the right to inspect and revise their student records for accuracy, while also prohibiting the disclosure of these records or other personal information on the student, without the student’s or parent’s (in some instances) consent. The state laws have wider cross-sector application, but need to be examined on a state-by-state basis. | |
| B. Obligations on Data Recipient | |||
| Is the data recipient subject to the data protection law(s) described above? | ☒ Yes ☐ No | Yes, a data recipient based in the US will be subject to the federal laws, and the relevant sector and state laws set out above. | |
| What are the main obligations imposed on the data recipient under the above data protection law(s)? | Please explain | The FTC has taken the position that “deceptive practices” include a company’s failure to comply with its published privacy promises and its failure to provide adequate security of personal information, in addition to its use of deceptive advertising or marketing methods Main obligation vary according to specific law but can include: restrictions and obligations relating to the collection, use, disclosure, security, or retention of special categories of dataobtain consent in limited circumstances where the use of consumer data is materially different than claimed when the data was collected, or where sensitive data is collected for certain purposespurpose/ processing limitation notice/ transparency requirements risk assessments prohibition on discrimination requirement to respect consumer rights (e.g. access, deletion, right to opt-out of sales of data)restrictions on the retention of data”, including disposal State Data Breach Notification Laws: At the federal level, HIPAA requires covered entities to report data breaches to impacted individuals without unreasonable delay, and in no case later than 60 days. Notice should include a description of the breach, including: the types of information that were involved; the steps individuals should take to protect themselves, including who they can contact at the covered entity for more information; as well as what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches. For breaches affecting more than 500 residents of a state or jurisdiction, covered entities must provide local media notice, in addition to individual notices. Every state has adopted data breach notification legislation that applies to certain types of personal data about its residents. Even if a business does not have a physical presence in a particular state, it typically must comply with the state’s laws when faced with the unauthorised access to, or acquisition of, personal data it collects, holds, transfers or processes about that state’s residents. The types of data subject to these laws vary, with most states defining personal data to include an individual’s first name or first initial and last name, together with a data point including the individual’s SSN, driver’s licence or state identification card number, financial account number or payment card information. As of May 2018, all 50 states, the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have statutes that require data breaches to be reported, as defined in each statute, to impacted individuals. If a breach occurs involving residents of multiple states, then multiple state laws must be followed. | |
| Are there any specific restrictions on the disclosure of personal data by the data recipient to third parties? | ☒ Yes ☐ No If yes, summarise the main restrictions | Varies according to specific law. | |
| C. Data Subject Rights | |||
| Do data subject have the right to access their personal data? | ☒ Yes ☐ No If yes, summarise the main restrictions | Varies according to specific law. Right of access to data/copies of data These rights are statute-specific. For example, employees may be entitled to receive copies of data held by employers. In other circumstances, parents are entitled to receive copies of information collected online from their children under the age of 13. Under HIPAA, individuals are entitled to request copies of medical information held by a health services provider. Further, the CCPA provides a right of access for California residents to personal information held by a business relating to that resident. Right to rectification of errors These rights are statute-specific. Some laws, such as the FCRA, provide consumers with a right to review data about the consumer held by an entity and request corrections to errors in that data. At the state level, the right to correct information commonly attaches to credit reports, as well as criminal justice information, employment records, and medical records. Right to deletion These rights are statute-specific. By way of federal law example, COPPA provides parents the right to review and delete their children’s information and may require that data be deleted even in the absence of a request. Some state laws, such as the CCPA and the CDPA, provide a right of deletion for residents of the respective states, with certain exceptions. Right to object to processing These rights are statute-specific. Individuals are given the right to opt out of receiving commercial (advertising) emails under CAN-SPAM and the right to not receive certain types of calls to residential or mobile telephone numbers without express consent under the TCPA. Some states provide individuals with the right not to have telephone calls recorded without either consent of all parties to the call or consent of one party to the call. Right to restrict processing These rights are statute-specific. Certain laws restrict how an entity may process consumer data. For example, the CCPA allows California residents, and the Nevada Privacy Law allows Nevada residents to prohibit a business from selling that individual’s personal information. The newly enacted CDPA will provide a right to restrict processing for the purposes of sale, targeted advertising, and profiling. Right to data portability These rights are statute-specific. Examples of consumer rights to data portability exist under HIPAA, where individuals are entitled to request that medical information held by a health services provider be transferred to another health services provider. In addition, the CCPA provides a right of data portability for California residents. Right to withdraw consent These rights are statute-specific. By way of example, under the TCPA, individuals are permitted to withdraw consent given to receive certain types of calls or texts to residential or mobile telephone lines. | |
| Do data subjects have any other substantive rights? | ☒ Yes ☐ No If yes, summarise the main restrictions | Varies according to specific law but examples may include: Right to object to marketing These rights are statute-specific. Several laws permit consumers to restrict marketing activities involving their personal data. Under CAN-SPAM, for example, individuals may opt out of receiving commercial (advertising) emails. Under the TCPA, individuals must provide express written consent to receive marketing calls/texts to mobile telephone lines. California’s Shine the Light Act requires companies that share personal information for the recipient’s direct marketing purposes to either provide an opt-out or make certain disclosures to the consumer of what information is shared, and with whom. Right to complain to the relevant data protection authority(ies) These rights are statute-specific. By way of example, individuals may report unwanted or deceptive commercial email (“spam”) directly to the FTC, and telemarketing violations directly to the FCC. Similarly, anyone may file a HIPAA complaint directly with the Department of Health and Human Services (HHS). At the state level, California residents may report alleged violations of the CCPA to the California Attorney General. | |
| What remedies are available to data subjects in the event that their rights are breached? | Please explain. | There are limited rights to sue businesses subject to state laws. The CCPA gives consumers a limited right of action to sue if they’re the victim of a data breach. Certain government officials—including state Attorneys General, county District Attorneys, and city attorneys—can sue a company for its deceitful business practices without having to show personal harm. Instead, they can file a company as a representative for the public. As above, EO 14086 establishes a new redress mechanism through which the safeguards contained in the EO can be invoked and enforced by individuals. | |
| Are these rights exercisable through the judicial system or enforced by the supervisory authority, or both? | ☐ Judicial system only ☐ Enforced by supervisory authority only ☒ Both ☐ Neither | See above. | |
| D. Public Authority’s Right of Access | |||
| Is there a legal framework providing for such access, when it is envisaged, that is publicly available and sufficiently clear? | ☒ Yes ☐ No | Yes – interference from the U.S. government needs to be based on applicable surveillance laws The relevant U.S. laws are accessible online, and further information can be found on the ‘IC on the Record’ website that ODNI maintains on behalf of the U.S. Intelligence Community (https://icontherecord.tumblr.com). | |
| Are authorities in the country/countries of import entitled to access personal data which we may send to you? | ☐ Yes ☒ No If yes, move to the next question | It is unlikely that FISA applies to CloudCall Inc as an entity. | |
| Is the data importer required to co-operate in any respect of government authorities or related agencies that conduct surveillance of communications, whether mandatory or voluntary? | ☒ Yes ☐ No ☐ The data importer is under a legal obligation not to answer this question If yes, provide further information | CloudCall Inc. would be required to comply with any duly obtained court orders and warrants. | |
| Is the data recipient subject to surveillance laws of the third country? | ☒ Yes ☐ No If yes, move to the next question | Generally, Section 702 of the Foreign Intelligence Surveillance Act (FISA 702), and Executive Order 12333 (EO 12333) authorise surveillance of non-U.S. persons located outside of the United States, and Presidential Policy Directive 28 (PPD-28) prohibits certain bulk collections and limits how long agencies can retain information on non-U.S. persons. Under the USA FREEDOM Act, which has replaced the USA PATRIOT Act, where a US government agency seeks access to telephony metadata, it must obtain judicial approval on a targeted case-by-case basis. Its application for such approval must show that there are reasonable grounds to believe that the records are relevant to such an investigation and establish reasonable, articulable suspicion that the specific selection terms associated with the request are connected to entities engaged in international terrorism. Intelligence agencies cannot collect call detail records directly, but the agency must request access from the service provider. The Stored Communications Act, as clarified by the Clarifying Lawful Overseas Use of Data (CLOUD) Act to have extraterritorial application, enables US authorities to access data without consent pursuant to a search warrant issued by a US court in accordance with US criminal procedures. The CLOUD Act gives enforcement authorities the right to compel electronic communications service providers to give them access to data that is in the “possession, custody or control” of any US company or foreign company with a presence in the US. The extraterritorial effect of the CLOUD Act may conflict with the GDPR and the UK GDPR. This is because the CLOUD Act may apply to the personal data of individuals who are resident in the EEA. Executive Order 14086 (EO 14086) replaces PPD-28 to a large extent and strengthens the conditions, limitations and safeguards that apply to all signals intelligence activities (i.e. on the basis of FISA and EO 12333), regardless of where they take place, and establishes a new redress mechanism through which these safeguards can be invoked and enforced by individuals. ☒ The data recipient may be subject to FISA 702 ☒ The data recipient may be subject to EO 12333 ☒ The data recipient may be subject to PPD 28 ☒ The data recipient may be subject to EO 14086 | |
| Surveillance laws in the United States | Is the data recipient directly subject to Section 702 of the Foreign Intelligence Surveillance Act of 1978 (FISA 702) in the United States? | ☒ Yes ☐ No ☐ Not known ☐ The data importer is under a legal obligation not to answer this question If yes, identify the relevant surveillance regime | FISA 702 allows the U.S. government to conduct electronic surveillance for national security or foreign intelligence purposes on targets that are non-U.S. persons who are not within the U.S. at the time of the surveillance. The U.S. government is not required to submit each individual target for judicial review; rather, an oversight body – the Foreign Intelligence Surveillance Court (“FISC“), a federal court comprised of independent judges with lifetime tenure – oversees and approves the targeting procedures and guidelines that govern this surveillance to ensure they are reasonably designed to ensure targets are persons who are outside the U.S. Under this authority and subject to these approved procedures, the U.S. government can require U.S. electronic communication service providers and remote computing service providers to provide data to the U.S. government and do so in a way that does not undermine the secrecy of the request. FISA 702 only governs the collection of data within the United States; The information must be acquired from an “electronic communication service provider,” or with the assistance of such a provider. As used in Section 702, the term “electronic communication service provider” includes communications providers (such as telephone, email, or internet service providers (ISPs)) as well as remote computing service providers that provide “computer storage or processing services” to the public. Although Section 702 requires the target of surveillance to be outside the United States (e.g., an EU citizen in Europe), the information may be acquired from facilities within the United States, such as data centres operated by U.S.-based electronic communication service providers. If the government targets a non-U.S. person through an acquisition that occurs outside the United States, that acquisition would not necessarily be governed by FISA, including Section 702, but would still need to comply with EO 12333 and EO 14086. |
| Is the data recipient required to co-operate in any respect with US authorities conducting surveillance of communications under EO 12333, whether mandatory or voluntary? | ☒ Yes ☐ No ☐ Not known ☐ The data importer is under a legal obligation not to answer this question If yes, identify the relevant surveillance regime | ||
| Does publicly available information show that there is a legal prohibition on the data recipient of informing about a specific request for access to data received and wide restrictions on providing general information about requests for access to data received or the absence of requests received? | ☒ Yes ☐ No | There is likely to be a non-disclosure obligation on the data recipient so as not to endanger national security. | |
| Are you subject to any other country’s surveillance laws? | ☐ Yes ☒ No ☐ Not known ☐ The data importer is under a legal obligation not to answer this question If yes, identify the relevant surveillance regime | ||
| What personal data can public authorities require the data recipient to provide and in what circumstances, e.g. under: any applicable security surveillance regime?in the course of an investigation? Does this include the type of personal data that will be transferred to the data recipient? | Please explain. | Please see the information above about the scope and operation of FISA. | |
| What limitations do data protection and privacy laws impose on such requests by public authorities? | Please explain. | Surveillance under FISA must be limited to what is required for national security or foreign intelligence purposes. Surveillance under EO 12333 must be limited to detecting and countering espionage, sabotage, terrorism, cybersecurity threats, threats from weapons of mass destruction, and transnational criminal threats such as money laundering and evasion of U.S. sanctions. | |
| What rights and remedies are available to a data subject in the event that a public authority requests access to their personal data? | Please explain. | FISA empowers a person who has been subject to FISA surveillance and whose communications are used or disclosed unlawfully to seek compensatory damages, punitive damages, and attorney’s fees against the individual who committed the violation. The following specific statutes establish means of individual redress for violations of Section 702: 1. Section 1810 of the Foreign Intelligence Surveillance Act, 50 U.S.C. § 1810 (2018). 2. Section 2712 of the Electronic Communications Privacy Act, 18 U.S.C. § 2712 (2018). 3. Section 702 of the Administrative Procedure Act, 5 U.S.C. § 702 (2018). Additional FISA 702 privacy safeguards, may be found on “IC on the Record,” the website that ODNI maintains on behalf of the U.S. Intelligence Community: 1. FISC order of 26 April 2017, available at link. 2. NSA Section 702 Targeting Procedures (29 Mar. 2017), available at link. 3. FISA Amendments Reauthorization Act of 2017, Pub. L. No. 115-118, 132 Stat. 3 (19 Jan. 2018). The Electronic Communications Privacy Act provides a separate cause of action for compensatory damages and attorney’s fees against the government for wilful violations of FISA. Individuals may also challenge unlawful government access to personal data through civil actions under the Administrative Procedure Act, which allows persons ‘suffering legal wrong’ because of surveillance to seek injunctive relief. As above, EO 14086 establishes a new redress mechanism through which the safeguards contained in the EO can be invoked and enforced by individuals. Individuals also have rights of redress in respect of protected health information under the Health Insurance Portability and Accountability Act, and remedies under certain state laws such as the California Consumer Privacy Act and the Biometric Information Privacy Act. | |
| Can these rights and remedies be exercised before an independent judiciary? | ☒ Yes ☐ No | See above. | |
| E. Practices of Public Authorities | |||
| Does the legislation in the third country formally meet EU standards (i.e. there are reasonable and proportionate safeguards on public authority access to data) but manifestly not applied/complied with in practice? | ☐ Yes ☒ No ☐ Not known | In the European Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (DPF) the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the EEA to certified organisations in the United States. | |
| Are there practices incompatible with the SCCs commitments where relevant legislation in the third country is lacking? | ☒ Yes ☐ No ☐ Not known | In the European Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (DPF) the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the EEA to certified organisations in the United States. | |
| Can the public authorities of the third country access the data without the data recipient’s knowledge or cooperation, in light of legislation, practice and reported precedents? | ☒ Yes ☐ No ☐ Not known | The only circumstances whereby individuals are informed that their data has been acquired by the U.S. government under FISA 702 is if the U.S. government uses data acquired from the surveillance as evidence against them in an enforcement action. | |
| Does the transferred data and/or importer fall or potentially fall within the scope of problematic legislation (i.e. that would impinge on the SCC’s contractual guarantee of an essentially equivalent level of protection and not meet EU standards on fundamental rights, necessity and proportionality)? | ☐ Yes ☐ No ☒ Not known | In the European Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (DPF) the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the EEA to certified organisations in the United States. However, before the Commission adopted its decision, the European Data Protection Board (EDPB) published an Opinion and the European Parliament adopted a Resolution expressing concerns that EO 14086 and the DPF have not addressed all the issues that led to the Court of Justice of the European Union invalidating the DPF’s predecessor (the EU-US Privacy Shield), including: FISA 702 still allows for bulk collection of personal data without independent prior authorisation;there are no clear rules on data retention; andthe redress mechanism is secret and not independent. In relation to transfers from the UK, the Information Commissioner’s Office has published an Opinion on the UK Government’s assessment of adequacy for the UK Extension to the EU-US Data Privacy Framework (DPF) for the general processing of personal data. The Commissioner considers that, while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection, there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied: The definition of ‘sensitive information’ under the UK Extension does not specify all the categories listed in Article 9 of the UK GDPR. Instead, the UK Extension includes a catch-all provision specifying, “…any other information received from a third party that is identified and treated by that party as sensitive.” Accordingly, UK organisations will need to identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a US-certified organisation so that it will be treated as sensitive information under the UK Extension.For criminal offence data, there may be some risks even where this is identified as sensitive because, as far as the ICO is aware, there are no equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974, which places limits on the use of data relating to criminal convictions when those convictions have become ‘spent’ following the relevant rehabilitation period, including the ability to request that this data is deleted. It is not clear how these protections would apply once the information has been transferred to the USA.The UK Extension does not contain a substantially similar right to the UK GDPR to protect individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant to an individual. In particular, the UK Extension does not provide for the right to obtain a review of an automated decision by a human.The UK Extension contains neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent. | |
| Can public authorities of the third country access the data through the data recipient or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents? | ☒ Yes ☐ No ☐ Not known | Under FISA 702, the U.S. government can issue directives to electronic communication service providers in the United States, compelling the providers to disclose communications data. See above. | |
| Are the four European Essential Guarantees respected in the recipient country, to ensure interferences with data protection rights through surveillance measures do not go beyond what is necessary and proportionate in a democratic society? | ☐ Yes ☒ No ☐ Not known | In the European Commission Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (DPF) the Commission concludes that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the EEA to certified organisations in the United States. This finding is limited to organisations which have self-certified under the DPF. In order to self-certify, organisations must publicly commit to comply with the DPF Principles, which comprise seven privacy principles and sixteen supplemental principles. These principles are very similar to those under the Privacy Shield. Only one principle is relevant to the US government’s right of access. Supplemental principle 16 (Access Requests by Public Authorities) provides that: In order to provide transparency in respect of lawful requests by public authorities to access personal information, participating organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. The information provided by the participating organizations in these reports together with information that has been released by the intelligence community, along with other information, can be used to inform the periodic joint review of the functioning of the EU-U.S. DPF in accordance with the Principles.Absence of notice in accordance with point (a)(xii) of the Notice Principle shall not prevent or impair an organization’s ability to respond to any lawful request. | |
| Has the data recipient received any request from public authorities to disclose data, in the past 12 months, two years and five years? If so: how often?what types of requests have been received?how has the data recipient responded to those requests? | ☐ Yes ☒ No ☐ The data importer is under a legal obligation not to answer this question | No requests from any public authorities for 5 years or more. | |
| Are you aware of other organisations in the data recipient’s sector receiving requests from public authorities to disclose data, in the past 12 months, two years and five years? | ☐ Yes ☒ No | We are not aware of any such requests. | |
| Is there any reason to believe the type of data concerned will be of interest to the intelligence authorities in the future? | ☐ Yes ☒ No | The type of data in ‘voice over internet’ sector would be limited to sales information and customer relationship management information. None of which would be of interest to intelligence authorities. | |
II. Assessment result of level of protection provided in third country
This Data Processing Addendum (“DPA“) is incorporated into and supplements the Agreement, as updated from time to time between CloudCall Group Limited (together with its Affiliates, “CloudCall“) and the Customer that enters into the Agreement (“Customer” or “you“).
The Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws, on behalf of its Authorised Affiliates (if and to the extent CloudCall processes Personal Data for which such Authorised Affiliates qualify as the Controller). For the purposes of this DPA only (except where indicated otherwise) the term “Customer” shall therefore include the Customer and its Authorised Affiliates.
1. INTERPRETATION
1.1. The following terms in this DPA shall have the following meanings:
| Affiliate | means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity. |
| Agreement | means the entire agreement between CloudCall and the Customer under which CloudCall provides one or more of the Services to the Customer, including the Terms and Conditions, the Order, the Key Terms and any Schedule(s). For the avoidance of doubt, all references to the “Agreement” shall include this DPA and the SCCs (where applicable). |
| Authorised Affiliate | means any of Customer’s Affiliate(s) which is permitted to use the Services pursuant to the Agreement between the Customer and CloudCall but has not signed its own Order with CloudCall and is not a “Customer” as defined under the Agreement. |
| Customer Personal Data | means any personal data that CloudCall processes as a processor on behalf of the Customer in relation to the Service(s), as more particularly described in this DPA. For the avoidance of doubt, Customer Personal Data does not include personal data for which CloudCall is a Controller and which CloudCall processes in accordance with CloudCall’s Privacy Notice. |
| Control | means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly. |
| Data Protection Laws | means all applicable laws and/or regulations which relate to data protection, the processing of personal data, privacy and/or electronic communications, including (but not limited to): Regulation (EU) 2016/679 (“EU GDPR“); Directive 2002/58/EC (“ePrivacy Directive“); the California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law“); the UK Data Protection Act 2018 (“DPA 2018“); the UK General Data Protection Regulations (“UK GDPR“). |
| EEA | means the European Economic Area |
| EEA Adequate Country | means a country or territory outside the EEA which the EU Commission has recognised as providing an adequate level of protection for personal data in accordance with the EU GDPR, including (without limitation) the UK |
| EU SCCs | means the standard contractual clauses for the transfer of personal data to third countries in the form annexed to the European Commission’s decision of 4 June 2021. |
| EU | means the European Union |
| Personal Data Breach | means any unauthorised or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Personal Data on systems managed or otherwise controlled by CloudCall. |
| Services | means the relevant services identified and defined in the Agreement. |
| SCCs | means the EU SCCs as supplemented by the UK Addendum. |
| Special Category(ies) of Personal Data | means genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health or a natural person’s sex life or sexual orientation; personal data revealing racial, ethnic, political or religious beliefs, or trade union membership; and personal data relating to criminal convictions and offenses. |
| Sub-processor | means any processor engaged by CloudCall or its Affiliates to assist in fulfilling its obligations with respect to providing the Service(s) pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of CloudCall but shall exclude CloudCall employees, contractors, or consultants. |
| UK | means the United Kingdom. |
| UK Addendum | means the UK international data transfer addendum to the EU SCCs as issued by the Information Commissioner under s.199A(1) of the DPA 2018. |
| UK Adequate Country | means a country or territory outside the UK which the UK Government has recognised as providing an adequate level of protection for personal data in accordance with the UK GDPR. |
1.2. All capitalised terms not defined in this DPA shall have the meanings set out in the Standard Terms and Conditions and/or Order as the case may be.
1.3. The words “in particular”, “such as”, “include” or “including” do not denote an exhaustive list, and references to laws are references to those laws as amended, re-enacted and/or replaced from time to time.
1.4. The terms “personal data“, “controller“, “data subject“, “processor” and “processing” shall have the meaning given to them under applicable Data Protection Laws or if not defined thereunder, the EU GDPR, and the terms “process“, “processes” and “processed” with respect to any Customer Personal Data, shall be interpreted accordingly.
2. ROLES AND RESPONSIBILITIES
2.1. Parties’ roles. If applicable Data Protection Laws apply to either party’s processing of Customer Personal Data, the parties acknowledge and agree that with regard to the processing of Customer Personal Data, Customer is the controller and CloudCall is a processor acting on behalf of Customer, as further described in Appendix A (Details of Data Processing) of this DPA.
2.2. Purpose limitation. CloudCall shall process Customer Personal Data only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes“). The parties agree that the Agreement sets out Customer’s complete and final instructions to CloudCall in relation to the processing of Customer Personal Data, and processing outside the scope of these instructions (if any) shall be in writing between the parties.
2.3. Prohibited data. Unless otherwise set forth in Appendix A of this DPA, Customer will not provide (or cause to be provided) any Special Category of Personal Data to CloudCall for processing under the Agreement, and CloudCall will have no liability whatsoever for such data, whether in connection with a Personal Data Breach or otherwise.
2.4. Customer compliance. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Personal Data and any processing instructions it issues to CloudCall; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for CloudCall to process Customer Personal Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.
2.5. Lawfulness of Customer’s instructions. Customer will ensure that CloudCall’s processing of the Customer Personal Data in accordance with Customer’s instructions will not cause CloudCall to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. CloudCall shall promptly notify Customer in writing, unless prohibited from doing so under applicable Data Protection Laws, if it becomes aware or believes that any data processing instruction from Customer violates the GDPR or any UK implementation of the GDPR.
3. SUB-PROCESSING
3.1. Authorised Sub-processors. Customer provides CloudCall general written authorisation to engage Sub-processors to process Customer Personal Data on Customer’s behalf for the purposes of providing the Services. A list of CloudCall’s relevant Sub-processors is set out in Appendix E. If Customer objects to the engagement of a new Sub-processor on reasonable grounds within ten (10) days, CloudCall will use reasonable efforts to make a change in the Services or recommend a commercially reasonable change to avoid processing by such Sub-processor. If CloudCall is unable to provide an alternative, Customer may terminate only the affected Services and receive a refund of prepaid fees on a pro-rated basis.
3.2. Sub-processor obligations. CloudCall shall:
3.2.1. enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this DPA; and
3.2.2. remain liable for the performance of such Sub-processor’s compliance with the obligations under this DPA.
4. SECURITY
4.1. Security Measures. CloudCall shall implement and maintain appropriate technical and organisational security measures that are designed to protect Customer Personal Data from Personal Data Breach and designed to preserve the security and confidentiality of Customer Personal Data in accordance with CloudCall’s security standards described in Appendix B (Technical and Organisational Measures) of this DPA.
4.2. Confidentiality of processing. CloudCall shall ensure that individuals authorized by CloudCall to process Customer Personal Data shall be under an appropriate obligation of confidentiality.
4.3. Updates to Security Measures. Customer is responsible for reviewing the information made available by CloudCall relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that CloudCall may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
4.4. Personal Data Breach response. Upon becoming aware of a Personal Data Breach, CloudCall shall:
4.4.1. notify Customer without undue delay, and where feasible, in any event no later than 48 hours upon determining that a Personal Data Breach has occurred;
4.4.2. provide timely information relating to the Personal Data Breach as it becomes known or as is reasonably requested by Customer; and
4.4.3. promptly take reasonable steps to contain and investigate any Personal Data Breach. Customer agrees that an unsuccessful Personal Data breach will not be subject to this Section 4.4. An unsuccessful Personal Data Breach is one that results in no unauthorised access to Customer Personal Data or any facilities or equipment of CloudCall storing Customer Personal Data. CloudCall’s notification of or response to a Personal Data Breach under this Section 4.4 shall not be construed as an acknowledgment by CloudCall of any fault or liability with respect to the Personal Data Breach.
5. AUDITS
5.1. Audit rights. Upon at least 30 days written notice by Customer, CloudCall shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and as required by Data Protection Laws, allow for and contribute to audits, including inspections by Customer in order to assess compliance with this DPA. Before the commencement of any audit, Customer and CloudCall shall mutually agree upon the scope, timing, and duration of the audit. Customer shall reimburse CloudCall for any time expended by the CloudCall or its third-party Sub-processors for any such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by CloudCall, or its third-party Sub-processors. Audits and inspections are subject to CloudCall’s reasonable data protection policies, and do not extend to employee payroll, personnel records or any portions of CloudCall’s sites, books, documents, records or other information that do not relate to the Customer Personal Data or are otherwise commercially sensitive or legally privileged. The information obtained during an audit or inspection, and the results of such, will be considered CloudCall’s Confidential Information.
5.2. Customer audits. CloudCall and/or to the extent a Sub-processor holds a System and Organization Controls (SOC) 2 report, System and Organization Controls (SOC) 3 report or ISO 27001 certification that covers the Services, Customer agrees to exercise any right Customer may have to conduct an audit or inspection under Section 5.1 of this DPA or under the SCCs if they apply, by instructing CloudCall in writing to provide a copy of its most current report or certification, which will be considered CloudCall’s Confidential Information. If the SCCs apply, nothing in this Section modifies or affects any supervisory authority’s or data subject’s rights under the SCCs.
6. INTERNATIONAL TRANSFERS
6.1. Data center locations. Subject to Sections 6.2 and 6.3, Customer acknowledges that CloudCall may transfer and process Customer Personal Data to and in Australia, Canada, the United States and anywhere else in the world where CloudCall, its Affiliates or its Sub-processors maintain data processing operations. CloudCall shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.
6.2. European Data transfers. Where the Customer is based in the EEA and/or EU Data Protection Laws apply to the Customer Personal Data processed by CloudCall under this DPA (“EU Data“), and where CloudCall receives that data in, or intends to onward transfer that data to, a country outside of the EEA that is not recognized as an EEA Adequate Country, the parties shall, upon such transfer taking place, be deemed to enter into the EU SCCs, as incorporated into this DPA by virtue of Appendix C (International Data Transfers of Personal Data outside of the EEA and UK).
6.2.1. For the purposes of the EU SCCs, CloudCall agrees that it is the “Data Importer” and the Customer is the “Data Exporter”, notwithstanding that the Customer may itself be an entity located outside of the EEA.
6.3. UK data transfers. Where the Customer is based in the UK and/or UK Data Protection Laws apply to the Customer Personal Data processed by CloudCall under this DPA (“UK Data“), and where CloudCall receives that data in, or intends to onward transfer that data to, a country outside of the UK that is not recognized as a UK Adequate Country, the parties shall, upon such transfer taking place, be deemed to enter into the UK Addendum to the EU SCCs, as incorporated into this DPA by virtue of Appendix C (International Data Transfers of Personal Data outside of the EEA and UK).
6.3.1. For the purposes of the UK Addendum, CloudCall agrees that it is the “Data Importer” and Customer is the “Data Exporter”, notwithstanding that Customer may itself be an entity located outside of the UK.
6.4. Rest of the World transfers. Where the Customer is based in any country outside of the UK or EEA (including Australia, US, Canada etc) and/or any non-EU and non-UK Data Protection Laws apply to the Customer Personal Data processed by CloudCall under this DPA, the parties acknowledge and agree that CloudCall may transfer such Customer Personal Data outside of Australia, Canada or the US as permitted by terms agreed upon by the parties and subject to CloudCall complying with this DPA and any jurisdiction-specific Data Protection Laws.
6.5. Alternative transfer mechanism. To the extent CloudCall adopts an alternative data transfer mechanism (including any new version of or successor to the SCCs) for the transfer of EU and/or UK Data not described in this DPA (“Alternative Transfer Mechanism“), the Alternative Transfer Mechanism shall apply instead of the SCCs described in this DPA, but only to the extent that such Alternative Transfer Mechanism complies with applicable Data Protection Laws and extends to the countries to which the applicable data is transferred. In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer EU and/or UK Data within the meaning of applicable Data Protection Laws, CloudCall may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of such data.
7. RETURN OR DELETION OF DATA
7.1. Upon termination or expiration of the Agreement (or upon Customer’s written request if earlier), CloudCall shall, at Customer’s election, delete or return to Customer all Customer Personal Data (including copies) in its possession or control.
7.2. The requirement under section 7.1 shall not apply:
7.2.1. to the extent that CloudCall is required by Applicable Laws to retain some or all of the Customer Personal Data; or
7.2.2. to Customer Personal Data that CloudCall has archived on back-up systems, which CloudCall shall securely isolate and protect from any further processing until it is deleted in accordance with CloudCall’s deletion policies.
8. DATA SUBJECT RIGHTS AND COOPERATION
8.1. Data subject requests. As part of the Service, CloudCall provides Customer with several self-service features, that Customer may use to retrieve, correct, delete, or restrict the use of Customer Personal Data, which Customer may use to assist it in connection with its obligations under the Data Protection Laws with respect to responding to requests from data subjects via Customer’s account at no additional cost. In addition, CloudCall shall, taking into account the nature of the processing, provide reasonable additional assistance to Customer to the extent possible to enable Customer to comply with its data protection obligations with respect to data subject rights under applicable Data Protection Laws. If any such request is made to CloudCall directly, CloudCall shall not without Customer’s prior authorisation respond to such communication directly except as reasonably appropriate (for example, to direct the data subject to contact the Customer or to direct the data subject to a publicly available link with information on self-service functionality) or if required by Applicable Laws. If CloudCall is required to respond to such a request, CloudCall shall promptly notify Customer and provide Customer with a copy of the request unless CloudCall is legally prohibited from doing so.
8.2. Data protection impact assessment. To the extent required under applicable Data Protection Laws, CloudCall shall (taking into account the nature of the processing and the information available to CloudCall) provide all reasonably requested information regarding the Service to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws.
9. JURISDICTION-SPECIFIC TERMS
9.1. To the extent CloudCall processes Customer Personal Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Appendix D (Jurisdiction-Specific Terms), then the terms specified in Appendix D apply in addition to the terms of this DPA.
9.2. In the event of any conflict or ambiguity between the terms of Appendix D and any other terms of this DPA, the applicable terms in Appendix D will take precedence, but only to the extent of their applicability to CloudCall.
10. RELATIONSHIP WITH THE AGREEMENT
10.1. Term. This DPA shall remain in effect for as long as CloudCall carries out processing of Customer Personal Data on behalf of Customer or until termination of the Agreement (and all Customer Personal Data has been returned or deleted in accordance with Section 7 above).
10.2. Precedence. The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Service. In the event of any conflict or inconsistency between this DPA and the remainder of the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (i) SCCs; then (ii) this DPA; and then (iii) the remainder of the Agreement (which shall be interpreted in accordance with any order of precedence set forth therein).
10.3. Effects of changes. Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.
10.4. Third-party rights. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
10.5. Governing law. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
Appendix A – Details of Data Processing
Controller (data exporter):
The Customer and/or any Authorised Affiliates who qualify as controller under the terms of this DPA.
Processor (data importer):
The CloudCall entity and/or any CloudCall Affiliate(s) who process Customer Personal Data under the terms of this DPA.
Subject matter of processing:
The subject matter of the data processing under this DPA is the Customer Personal Data.
Duration of processing:
CloudCall will process Customer Personal Data as outlined in Section 7 (Return or Deletion of Data) of this DPA.
Purpose of processing:
The purpose of the processing of the Customer Personal Data shall include:
(i) to provide the Services in accordance with the Agreement;
(ii) to fulfil CloudCall’s obligations under the Agreement and this DPA; and
(iiI) to comply with any other reasonable instructions provided by the Customer (e.g., via email or support tickets that are consistent with the terms of the Agreement).
Nature of processing
Customer Personal Data will be processed in accordance with the Agreement (including this DPA and any Order) and as necessary to provide, maintain and improve the Services provided to Customer pursuant to the Agreement and/or as compelled by Applicable laws, and may be subject to the following processing operations:
Any operation or set of operations, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Categories of data subjects:
The categories of data subject whose personal data is contained with the Customer Personal Data and processed under this DPA are determined and controlled by the Customer in its sole discretion but includes (without limitation) the Customer’s end-users.
Types of personal data:
The types of personal data contained with the Customer Personal Data processed under this DPA is determined and controlled by the Customer in its sole discretion but includes (without limitation):
(i) contact details (such as name, address, email address, phone number);
(ii) call recordings gathered through the CloudCall telephony platform; and
(iii) any other data related to the Customer’s business and CRM system.
Special Categories of Personal Data (as defined by the GDPR) or Sensitive Data:
Any Special Categories of Personal Data contained within the Customer Personal Data and processed under this DPA are determined and controlled by the Customer in its sole discretion, however CloudCall does not elect to, nor does it intentionally, collect or process any Special Categories of Personal Data in connection with the provision of the Service.
Frequency of Personal Data Transfer:
Customer Personal Data will be transferred between CloudCall Affiliates and Sub-processors from the outset and continuously throughout the Term of the Agreement.
Period of Retention:
Customer Personal Data will be retained for the duration of the Agreement and as outlined in Section 7 (Return or Deletion of Data) of the DPA.
Appendix B – Technical and Organisational Measures
The technical and organisational measures applicable to the Service are described here, as updated from time to time in accordance with Section 4.3 of this DPA.
Information Security Program
CloudCall has implemented information security governance which aligns to industry standards (ISO 27001 and SOC2) to protect the confidentiality, integrity and availability of its data assets.
Personnel
All of our staff are made aware of their responsibilities under our internal policies and standards and receive regular guidance and support from our information security team on best practices relating to data security.
In accordance with relevant laws and regulations, adequate background verification checks are conducted when recruiting individuals as permanent staff to reduce any possibility of threat to our critical data assets.
We provide mandatory data protection and information security training to our staff on an ongoing basis and provide supplemental training to specific target groups and individuals as required. Our staff are bound by obligations of confidentiality and understand the consequences of failing to adhere to our policies and their responsibilities.
An employee exit process is also followed at CloudCall which involves revocation of system permissions/access rights and return of company assets in a timely manner post-termination of employment.
User Access management
CloudCall has a well-defined process for granting access to data assets. Access rights are granted to employees solely on a “need-to-know” basis to ensure that our data assets are protected against unauthorised access and disclosure.
Our password policy is also enforced in respect of all data assets, which ensures a minimum length and complexity, and incorporates account lockout requirements in case of failed access attempts.
Infrastructure security
Our Services are offered through public networks, and our communications are protected by secure channels, and strong encryption. Data Loss Prevention controls are also deployed for additional email security.
Incident response
An incident response process is in place to address security incidents as they are identified. Incidents are managed by a dedicated incident response team that follow a documented procedure for mitigation and communications which is implemented according to various recognised standards and industry best practices.
CloudCall’s Incident Response process requires security incidents to be effectively reported, investigated, and monitored to ensure that corrective action is taken to control and remediate security incidents in a timely manner.
Endpoint and virus protection
In line with our internal policies, all CloudCall owned and supported operating systems which are hosted in our data centres or deployed in the cloud are required to be configured with our antivirus solution.
Security controls and monitoring
We review security threat intelligence from our internal vulnerability management tools, vendors and other third-party cybersecurity organisations. Automated and systemic centralised security logging and monitoring of our information operating systems and environment is continual for the purpose of real-time awareness and proactive incident response. At times, additional security controls may be implemented to provide mitigation against known threats.
Device lockdown
Standard security builds are deployed across our infrastructure and our server builds are based on industry practices for secure configuration management.
Operations Security
CloudCall ensures all changes to information operating systems and environments (which includes changes to servers, network equipment and software) are subject to formal change management processes.
CloudCall ensures backup copies of information and software are maintained for the purpose of data recovery in case of events such as system crash or accidental deletion of information.
Capacity management and monitoring
Monitoring of systems, services and operations are implemented to ensure the health of our operating environments. Management tools are implemented to monitor and maintain an appropriately scaled and highly available environment.
Vulnerability scanning
Our information security team supports a vulnerability scanning and policy compliance service that product and technology teams utilize for internal and external vulnerability scanning and configuration compliance. Internet-facing sites on our global network are periodically scanned as a practice in our program focused on vulnerability management.
Risk assessment
Our information security team engage subject matter experts regularly to provide risk assessments services. Architecture reviews, external vulnerability scans, application security testing and technical compliance reviews are several of the services performed during risk assessment activities.
Following such risk assessment activities, we develop remediation plans and roadmaps to address gaps in compliance, or areas of identified risk.
Additionally, our legal team perform audits against policies, standards and regulatory requirements, and registers findings for review and remediation initiatives within the business.
Physical security and third-party vendor management
All strategic data centres (including cloud service providers where the majority of application products are deployed) are managed to the standards, and industry best practice that CloudCall has adopted. In addition, CloudCall reviews third party data centres assurance reports as part of our vendor risk management program.
Appendix C – International transfers of Personal Data outside of the EEA and/or the UK
1. CLAUSES INCORPORATED INTO THIS DATA PROCESSING ADDENDUM
1.1. This Appendix C incorporates by reference the terms of each of the following:
1.1.1. the EU SCCs, to the extent that the EU GDPR applies to the Data Exporter’s processing when making that transfer; and
1.1.2. the UK Addendum, to the extent that UK GDPR applies to the Data Exporter’s processing when making that transfer.
2. AMENDMENTS TO THE EU SCCS (AS INCORPORATED)
2.1. The ‘module’ of the EU SCCs that shall apply is Module 2 in respect of Controller to Processor transfers.
2.2. The terms of Module 2 of the EU SCCs shall apply varied as follows:
2.2.1. Optional Clause 7 (Docking) is excluded.
2.2.2 Clause 9(a) (Use of sub-processors) is amended so that the optional wording providing for general written authorisation of sub-processors (option 2) is chosen.
2.2.3. The optional wording in Clause 11 (Redress) is excluded.
2.2.4. The relevant supervisory authority under Clause 13 (Supervision) shall be determined in accordance with the location of the Customer, as the Data Exporter., and Part C of Annex 1 shall be updated to align accordingly.
2.2.5. Clause 17 (Governing law) is amended so that the law of the EU member state in which the Customer, as the Data Exporter, is established (option 2) is chosen. In instances where the Customer is not established in an EU member state, option 1 and the laws of Ireland will be chosen and shall apply accordingly.
2.2.6 Clause 18(b) (Choice of forum and jurisdiction) is amended to reflect the courts of the EU member state chosen in Clause 17 (as amended in accordance with clause 3.2.5 above).
2.2.7. Parts A and B of Annex 1 are amended to incorporate the details set out in Appendix A of this DPA.
2.2.8. Annex 2 is amended to incorporate the details of the technical and organisational measures set out in Appendix B of this DPA.
2.2.9. Annex 3 is amended to incorporate the list of sub-processors set out in Appendix E of this DPA.
3. AMENDMENTS TO THE UK ADDENDUM (AS INCORPORATED)
3.1. The terms of the UK Addendum shall apply varied as follows:
3.2. Part 1:
3.2.1. Table 1 is amended to include the date on which the Customer enters into the Agreement with CloudCall as the start date, and incorporates all relevant details set out in Appendix A of this DP
3.2.2. The second option in Table 2 is chosen, and Module 2 is chosen as the only module in operation. In addition, the optional inclusion of clause 7 and clause 11 is excluded, and the general authorisation is the option chosen in respect of clause 9(a).
3.2.3. Table 3 is updated to incorporate the details set out in Appendix A, Appendix B and Appendix E of this DPA.
3.2.4. Table 4 is updated to allow both the Data Importer and Data Exporter to end the Addendum.
3.2.5. Clause 12 of the UK Addendum (allowing for the laws and/or courts of Scotland or Northern Ireland instead of the laws and courts of England and Wales) is not agreed by the parties.
Appendix D – Jurisdiction-Specific Terms
1. EEA AND UK:
1.1 Objection to Sub-processors. Customer may object in writing to CloudCall’s appointment of a new Sub-processor within ten (10) calendar days of receiving notice in accordance with Section 3.1 of DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, CloudCall will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
1.2. Government data access requests. As a matter of general practice, CloudCall does not voluntarily provide government agencies or authorities (including law enforcement) Customer Personal Data. If CloudCall receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to Customer Personal Data belonging to a data subject whose primary contact information indicates the data subject is located in Europe or the UK, CloudCall shall:
1.2.1. inform the government agency that CloudCall is a processor of the data;
1.2.2. attempt to redirect the agency to request the data directly from Customer; and
1.2.3. notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy. As part of this effort, CloudCall may provide Customer’s primary and billing contact information to the relevant authority. CloudCall shall not be required to comply with this paragraph 1.2 if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or to CloudCall.
2. CALIFORNIA:
2.1. Definitions. Except as described otherwise, the definitions of: “controller” includes “Business”; “processor” includes “Service Provider”; “data subject” includes “Consumer”; “personal data” includes “Personal Information”; in each case as defined under CCPA. For this “California” section only, “Permitted Purposes” shall include processing Customer Personal Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” under the CCPA.
2.2. Consumer’s rights. CloudCall’s obligations regarding data subject requests, as described in Section 8 (Data Subject Rights and Cooperation) of this DPA, apply to Consumer’s rights under the CCPA.
2.3. Permitted purpose. Notwithstanding any use restriction contained elsewhere in this DPA, CloudCall shall process Customer Personal Data only to perform the Services, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, except where otherwise required by applicable law. CloudCall may de-identify or aggregate Customer Personal Data as part of performing the Service specified in this DPA and the Agreement.
2.4. Sub-processors. Where Sub-processors process the personal data of Customer contacts, CloudCall takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom CloudCall has entered into a written contract that includes terms substantially similar to this DPA or are otherwise exempt from the CCPA’s definition of “sale”. CloudCall conducts appropriate due diligence on its Sub-processors. Where Sub-processors process the personal data of Customer contacts, CloudCall takes steps to ensure that such Sub-processors are Service Providers under the CCPA with whom CloudCall has entered into a written contract that includes terms substantially similar to this DPA or are otherwise exempt from the CCPA’s definition of “sale”. CloudCall conducts appropriate due diligence on its Sub-processors.
3. CANADA:
3.1. Sub-processors. CloudCall takes steps to ensure that CloudCall’s Sub-processors, as described in Section 3 (Sub-processing) of the DPA, are third parties under PIPEDA, with whom CloudCall has entered into a written contract that includes terms substantially similar to this DPA. CloudCall conducts appropriate due diligence on its Sub-processors.
3.2. Security. CloudCall will implement technical and organisational measures as set out in Section 4 (Security) of the DPA.
Appendix E – CloudCall’s Sub-Processors
CloudCall engages the following sub-processors in provision of the Service(s) to the Customer:
| Country | Sub-Processor | Processing Activities | Company Details |
| Australia | Amazon Web Services | Cloud hosting services | Level 37, 2-26 Park Street, Sydney, NSW, 2000, Australia |
| SYMBIO Holdings Limited | Cloud-Based Communications software | 580 George Street Level 4 Sydney, NSW 2000 Australia | |
| Canada | Amazon Web Services | Cloud hosting services | 120 Bremner Blvd 26th Floor, Toronto, ON M5J 0A1, Canada |
| Ireland | Amazon Web Services | Cloud hosting services | 4033 Citywest Avenue, Cooldown Commons, County Dublin, Ireland |
| DIDWW Ireland Limited | Communications services provider | 11 The Haven, Malahide, Co. Dublin, K36 R983, Ireland | |
| UK | BT Wholesale (British Telecom, PLC) | Communications services provider | 1 Braham Street, London, United Kingdom, E1 8EE |
| Bandwidth International (Voxbone) | Software application programming interfaces | Hydra Communications, C/O Blenheim 10 Fountain Court, Bradley Stoke, BS32 4LA UK | |
| Gamma Telecom Holdings Limited | Unified Communications as a Service provider | The Scalpel, 18th Floor, 52 Lime Street, London, EC3M 7AF | |
| Colt Technology Services Group Limited | Digital infrastructure | Colt House, 20 Great Eastern Street, London, England, EC2A 3EH | |
| US | Amazon, Inc. | Cloud hosting services | 440 Terry Avenue North. Seattle, WA 98109. USA |
| Amazon Web Services | Cloud hosting services | 440 Terry Avenue North. Seattle, WA 98109. USA | |
| Deepgram, Inc | Transcription services | 548 Market St, Suite 25104, San Francisco, CA 94104-5401, USA | |
| Google, Inc. | Speech to text, Text to Speech, and Natural Language cloud services | 1600 Amphitheatre Parkway Mountain View, CA 94043, USA | |
| Bandwidth, Inc | Voice and/or SMS Carrier | 900 Main Campus Dr, Suite 500, Raleigh, NC, | |
| Lumen Technologies, Inc. | Voice and/or SMS Carrier | 100 Century Link Drive Monroe, LA 71203 USA | |
| Stripe, Inc. | Payment Processing Services | 510 Townsend Street San Francisco California 94103 | |
| Sweden | Sinch (Ab) | Voice and/or SMS Carrier | Lindhagensgatan 112 112 51 Stockholm Sweden |
CARRIER COST RECOVERY FEE
In addition to the monthly service charges billed for CloudCall Inc. (“CloudCall”) services, surcharges, taxes, fees and other charges may be applied to your monthly invoice based on the type of service you have and your geographical location, among other factors. Certain taxes, fees or surcharges may show up as separate line items on your invoice. Examples include, but are not limited to, the following.
Federal Universal Service Fund (FUSF). The Telecommunications Act of 1996 requires CloudCall to contribute to the Federal Universal Service Fund (“FUSF”). The FUSF helps to make phone service affordable and available to all Americans, including consumers with low incomes; those living in areas where the cost of providing telephone service is high; public schools and libraries; and rural healthcare providers. The Federal Communications Commission (“FCC”) delegates the administration of the FUSF to the Universal Service Administrative Company (“USAC”). Each quarter, the FCC adopts a “contribution factor” for FUSF support. The contribution factor is a percentage of the total interstate and international end-user telecommunications and Interconnected VoIP (“I-VoIP”) revenue that each carrier is responsible for contributing to the FUSF. As permitted by FCC regulations, CloudCall has opted to bill the FUSF surcharge as a separate line item to end-user customers. Consistent with such regulations, CloudCall only bills FUSF line item charges in an amount equal to the quarterly contribution factor currently in effect multiplied by the invoiced amount subject to the FUSF. This is a permissible pass-through surcharge but is not a tax or charge mandated by the government.
Please visit USAC’s Website for more information on the FUSF.
State Universal Service Fund (USF). CloudCall may also be required to contribute to State Universal Service Funds (“SUSF”). The funds may be used to assist in providing universal service and to support a variety of other programs at the state level. CloudCall collects applicable charges from its end-user customers. These charges are permissible pass-through surcharges but are not taxes or charges mandated by the government.
Telecommunications Relay Services Fund. Some states also require contributions to State Telecommunications Relay Services (“TRS”) Funds to offset the cost of providing local transmission services that provide hearing or speech challenged individuals with the ability to use certain communications services. Many states require CloudCall to remit this fee to the governing authority. CloudCall collects applicable fees from customers and remits them to the relevant authorities.
State & Local Sales and Use Tax
All states, with limited exceptions, impose some form of state-level sales and use tax. The sales and use tax is generally imposed on the sale or use of tangible personal property and certain services. These taxes are intended to be passed on to the end user/consumer.
In many states, local jurisdictions also impose a sales or use tax. In some instances, the local sales and use tax is administered by the local jurisdiction. In other instances, the state administers the local sales and use tax.
Certain exemptions apply for sales for resale, and sales to certain types of entities (e.g., the federal government, state and local governments, non-profit entities, etc.).
CloudCall collects sales and/or use taxes as required by state and/or local law.
Communications Services Tax
Some state and local jurisdictions impose communications specific taxes on communications services in addition to or in lieu of sales or use tax. The communications services tax is intended to be passed on to the end user/consumer. The rates for communications services taxes are usually different than the sales and use tax rates and vary by jurisdiction.
Certain exemptions apply for sales for resale, and sales to certain types of entities (e.g., the federal government, state and local governments, non-profit entities, etc.).
CloudCall collects communications services taxes as required by applicable state and/or local law.
Gross Receipts Taxes
A number of states impose a gross receipts tax on communications service providers. In some states, gross receipts taxes are intended to be passed on to the end user/consumer. In other states, the gross receipts tax is the responsibility of the seller, and there is no pass-through to the end user.
Certain exemptions may exist for gross receipts taxes that are intended to be passed on to the customer, based on the type of entity making the purchase (e.g., the federal government, state and local governments, non-profit entities, etc.).
CloudCall pays gross receipts taxes and collects them from customers when required (or permitted) by applicable state and/or local law.
Local Utility Taxes
Local utility taxes are imposed by cities and counties in a select number of states. Certain exemptions apply for sales for resale, and sales to certain types of entities (e.g., the federal government, state and local governments, non-profit entities, etc.).
CloudCall pays local utility taxes and collects them from customers when required (or permitted) by applicable state and/or local law.
Local License Taxes
Local license taxes are imposed by cities and counties in a limited number of states.
Certain exemptions apply for sales for resale, and sales to certain types of entities (e.g., the federal government, state and local governments, non-profit entities, etc.).
CloudCall pays local license taxes and collects them from customers when required (or permitted) by applicable state and/or local law.
E911 Fees
In order to fund the provision of 911 emergency telephone service, state and local jurisdictions impose E911 fees on certain communications services. These fees are sometimes administered by the state department of revenue, but the majority of E911 fees are assessed and administered by local jurisdictions. E911 fees are intended to be passed on to the customer on the invoice. Sales for resale are generally exempt from E911 fees. Non-profit organizations are generally subject to E911 fees, whereas they might be exempt from taxes or other fees.
CloudCall collects E911 fees from customers when required by applicable state and/or local law.
You can visit the Federal Communications Commission website for more 911 emergency service information.
Carrier Cost Recovery Fee (CCRF). A Carrier Cost Recovery Fee (“CCRF”) equal to $3.99 per user (excluding taxes) will be charged on a monthly basis. This charge is imposed to recover costs incurred by CloudCall for fees, contributions and/or charges associated with telecommunications services for the sight and hearing impaired, local number portability, North American Numbering Plan administration, and administrative costs, fees and expenditures related to compliance with Federal regulatory programs and annual FCC regulatory fee obligations, along with other carrier and administrative expenses (including, but not limited to, costs imposed upon CloudCall by its suppliers). This charge also will cover administrative costs related to customer support.
This is a permissible fee but is not a tax or charge mandated by the government. For more information on programs supported by the CCRF, please see below.
Federal Telecommunications Relay Services (TRS) Fund. The TRS Fund was established by the FCC in 1993 to reimburse TRS providers for the cost of providing interstate TRS services. TRS services are telephone transmission services that provide hearing or speech challenged individuals with the ability to use a traditional telephone.
Under the FCC’s rules, CloudCall must contribute a percentage of its intrastate, interstate and international end-user communications revenues to the TRS Fund. The contribution percentage varies annually.
Local Number Portability Administration (LNPA). Local Number Portability (“LNP”) is a customer’s ability to keep existing phone numbers when switching to another service provider. CloudCall must provide LNP, as well as contribute to the FCC’s LNPA program, designed to diffuse the costs of administering LNP. CloudCall pays a proportionate share of the LNP costs in each region in which it operates and has customers. This fee varies frequently by region.
North American Numbering Program Administration (NANPA). The North American Numbering Plan (“NANP”) is an integrated telephone numbering plan for the Public Switched Telephone Network (“PSTN”) serving multiple countries including the United States and its territories. It is administered by the North American Numbering Plan Administration (“NANPA”).
Under the FCC’s rules, CloudCall must contribute to the costs of numbering administration. Contributions are based on a percentage of CloudCall’s revenues from customers using international, intrastate and interstate communications services. The percentage varies annually.
Annual Regulatory Fee. CloudCall, as an interstate service provider, must pay an annual regulatory fee to the FCC. This fee varies annually.
POLICY: COOKIES
We amend this policy from time to time. Every time you wish to use our site, please check this policy to ensure you understand the policy which applies at that time.
We keep our Cookies Policy under regular review. This version was last updated on 3rd February 2022.
Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
We use the following cookies:
• Strictly necessary or essential cookies. These are cookies that are required for the operation of our website.
• Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences.
• Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
We’re so confident that you’ll love CloudCall o1, we’ll buy out your existing contract.
CloudCall o1. The one and only unified communication platform built for businesses that use CRMs.
Seamless experience across mobile, web and desktop for maximum agent productivity.
Indestructible new infrastructure for business consistency and effortless scalability
Available for the World’s leading CRM’s
